Following on from the 'Reflexive ACL and Traceroute' post i now look at some anomolies i found when generating locally based traffic on the router carrying the reflexive acl.
With i try a ping from R3 to BB1 everything works as expected.
R3#P 200.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/546/1148 ms
When i try a ping from R6 to BB1 the same cannot be said...
R6#P 200.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
This can be explained because locally generated traffic does not run through that routers interfaces. If it is a requirement for locally based pings to execute successfully this leaves a small problem. In this post i offer two solutions to this problem.
This first is simply to allow icmp any any echo-reply on the inbound acl, effectively circunventing the reflexive acl logic.
The second solution ensures locally based traffic 'flows through' the same reflexive acl logic by 'fooling' the router into thinking this traffic has been originated externally.
ip access-list extended LOCAL
permit tcp any any
permit icmp any any
route-map LOCAL
match ip address LOCAL
set interface Loopback0
ip local policy route-map LOCAL
I now try the ping test again....
R6#P 200.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/256/684 ms
Additionally since i matched locally generated tcp traffic i also test locally generated telnet traffic
R6#telnet 200.1.1.1
Trying 200.1.1.1 ... Open
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment