Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

reflexive ACL

i want to configure a reflexive ACL to block traffic initiated from outside, once configured it on the interface, i found ospf and BGP neighbor relationship not able to establish because of this. I add a few permit commands of OSPF and BGP also not help, can someone heklp me resolve?

R2--inside network--R1(41.41.41.1)--outside network--(41.41.41.4)R4

configuration on R1:

______________________________________

ip access-list extended chu

permit tcp any any eq bgp reflect conn

permit ospf any any reflect conn

ip access-list extended jing

evaluate conn

interface serial0

ip address 41.41.41.1 255.255.255.0

ip access-group jing in

ip access-group chu out

______________________________________

1 ACCEPTED SOLUTION

Accepted Solutions

Re: reflexive ACL

Hello,

This configurations will not work.

I think you might take a closer look on how reflexive acls works.

You need to have traffic flowing first in order to "reflect" (i.e create a acl for permitting the opposite direction traffic).

the only traffic will "work" is traffic originated inside. When the go out, and reflected ACL will be created permitting that they come back.

But traffic from outside originated outside will never be permitted, unless you create a acl for it.

So, if the traffic is coming from the other routers (ospf and bgp traffic) , originated by the other routers, this configuration will not work.

Take a look on this example, usually traffic between routers (routing traffic ) is permitted and other tcp traffic is reflect (the same is valid for icmp packets).

interface Serial 1

description Access to the Internet via this interface

ip access-group inboundfilters in

ip access-group outboundfilters out

!

ip reflexive-list timeout 120

!

ip access-list extended outboundfilters

permit tcp any any reflect tcptraffic

!

ip access-list extended inboundfilters

permit eigrp any any

deny icmp any any

evaluate tcptraffic

HTH,

if it does, please rate this post.

vlad

2 REPLIES
New Member

Re: reflexive ACL

i also change the config to:

interface serial0

ip address 41.41.41.1 255.255.255.0

ip access-group jing in

ip access-group chu out

end

ip access-list extended chu

permit icmp any any reflect conn

permit icmp any any echo reflect conn

permit icmp any any echo-reply reflect conn

permit tcp any any eq bgp reflect conn

permit ospf any any reflect conn

ip access-list extended jing

evaluate conn

permit ospf any any

permit tcp any any eq bgp

when i ping from r1 to R4, i got timeout, not reachable

Re: reflexive ACL

Hello,

This configurations will not work.

I think you might take a closer look on how reflexive acls works.

You need to have traffic flowing first in order to "reflect" (i.e create a acl for permitting the opposite direction traffic).

the only traffic will "work" is traffic originated inside. When the go out, and reflected ACL will be created permitting that they come back.

But traffic from outside originated outside will never be permitted, unless you create a acl for it.

So, if the traffic is coming from the other routers (ospf and bgp traffic) , originated by the other routers, this configuration will not work.

Take a look on this example, usually traffic between routers (routing traffic ) is permitted and other tcp traffic is reflect (the same is valid for icmp packets).

interface Serial 1

description Access to the Internet via this interface

ip access-group inboundfilters in

ip access-group outboundfilters out

!

ip reflexive-list timeout 120

!

ip access-list extended outboundfilters

permit tcp any any reflect tcptraffic

!

ip access-list extended inboundfilters

permit eigrp any any

deny icmp any any

evaluate tcptraffic

HTH,

if it does, please rate this post.

vlad

402
Views
0
Helpful
2
Replies
CreatePlease login to create content