Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1239
Views
0
Helpful
2
Replies

reflexive ACL

Go to solution
att-sgcops
Level 1
Level 1

‎06-22-2006 12:13 AM - edited ‎03-03-2019 01:04 PM

i want to configure a reflexive ACL to block traffic initiated from outside, once configured it on the interface, i found ospf and BGP neighbor relationship not able to establish because of this. I add a few permit commands of OSPF and BGP also not help, can someone heklp me resolve?

R2--inside network--R1(41.41.41.1)--outside network--(41.41.41.4)R4

configuration on R1:

______________________________________

ip access-list extended chu

permit tcp any any eq bgp reflect conn

permit ospf any any reflect conn

ip access-list extended jing

evaluate conn

interface serial0

ip address 41.41.41.1 255.255.255.0

ip access-group jing in

ip access-group chu out

______________________________________

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vladrac-ccna
Level 5
Level 5
In response to att-sgcops

‎06-22-2006 03:33 AM

Hello,

This configurations will not work.

I think you might take a closer look on how reflexive acls works.

You need to have traffic flowing first in order to "reflect" (i.e create a acl for permitting the opposite direction traffic).

the only traffic will "work" is traffic originated inside. When the go out, and reflected ACL will be created permitting that they come back.

But traffic from outside originated outside will never be permitted, unless you create a acl for it.

So, if the traffic is coming from the other routers (ospf and bgp traffic) , originated by the other routers, this configuration will not work.

Take a look on this example, usually traffic between routers (routing traffic ) is permitted and other tcp traffic is reflect (the same is valid for icmp packets).

interface Serial 1

description Access to the Internet via this interface

ip access-group inboundfilters in

ip access-group outboundfilters out

!

ip reflexive-list timeout 120

!

ip access-list extended outboundfilters

permit tcp any any reflect tcptraffic

!

ip access-list extended inboundfilters

permit eigrp any any

deny icmp any any

evaluate tcptraffic

HTH,

if it does, please rate this post.

vlad

View solution in original post

0 Helpful
2 Replies 2

Go to solution
att-sgcops
Level 1
Level 1

‎06-22-2006 12:38 AM

i also change the config to:

interface serial0

ip address 41.41.41.1 255.255.255.0

ip access-group jing in

ip access-group chu out

end

ip access-list extended chu

permit icmp any any reflect conn

permit icmp any any echo reflect conn

permit icmp any any echo-reply reflect conn

permit tcp any any eq bgp reflect conn

permit ospf any any reflect conn

ip access-list extended jing

evaluate conn

permit ospf any any

permit tcp any any eq bgp

when i ping from r1 to R4, i got timeout, not reachable

0 Helpful

Go to solution
vladrac-ccna
Level 5
Level 5
In response to att-sgcops

‎06-22-2006 03:33 AM

Hello,

This configurations will not work.

I think you might take a closer look on how reflexive acls works.

You need to have traffic flowing first in order to "reflect" (i.e create a acl for permitting the opposite direction traffic).

the only traffic will "work" is traffic originated inside. When the go out, and reflected ACL will be created permitting that they come back.

But traffic from outside originated outside will never be permitted, unless you create a acl for it.

So, if the traffic is coming from the other routers (ospf and bgp traffic) , originated by the other routers, this configuration will not work.

Take a look on this example, usually traffic between routers (routing traffic ) is permitted and other tcp traffic is reflect (the same is valid for icmp packets).

interface Serial 1

description Access to the Internet via this interface

ip access-group inboundfilters in

ip access-group outboundfilters out

!

ip reflexive-list timeout 120

!

ip access-list extended outboundfilters

permit tcp any any reflect tcptraffic

!

ip access-list extended inboundfilters

permit eigrp any any

deny icmp any any

evaluate tcptraffic

HTH,

if it does, please rate this post.

vlad

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card