Hello all!

I have good and some not so good config days, but yesterday was definitely a GREAT day! After my bad experience with IPX Vol 1 Lab 2A, i decided to go back to INE vol 1 IOS F/w and revise that.

I started my rack session at 17:30 IST and i could get this done by around 20:00 IST. For me, that’re pretty good speed. More importantly i learned some more new stuff which i want to share here

• When configuring CBAC or reflexive ACLs, we all know that the only traffic which is permitted back is the traffic which matches a session created for an outbound session. Now, how does that affect routing traffic? Will routing advertisements be allowed from the outside? For that we use a workaround. Our goal is to permit the traffic from the outside. The only way that’s possible is to somehow create a session in the router so that the return traffic ( the routing advertisements ) can be permitted. For this we take all the routing traffic that’s being originated by the router , and set the output interface for them to a Loopback interface. This way , the routing traffic heading out will be treated as coming from the inside( or loopback , here ) and an inspect session is opened. This automatically permits the traffic back. The way you do this is this :
  • #ip access-list extended RIP_TRAFFIC
    • #permit udp any any eq rip
  • #route-map RIP_TRICK permit 10
    • #match ip add RIP_TRAFFIC
    • #set interface loopback 0

Generally , the question will be worded as follows “Ensure that routing updates are not disrupted by all this config” (or) “Ensure that control plane traffic remains unaffected”. Sometimes the issue can                   be solved by using just an ACL on the interface, but sometimes it’s a little more complicated than that.  So watch out for those

• In case of ZBPF , 2 things to keep in mind
  • If you have to configure traffic policing between 2 zones , along with the “police” command in the policy-map, also specify the “inspect” action. Otherwise it will not work. Inspect is required for police to work. Also, police action is not allowed to be applied on a zone-pair with a member as the “self” zone.
  • I would also suggest that you go through the different types of parameter maps that are possible in ZBPF, they are interesting and there’s a good chance they might be asked in the lab, if they desire to make ZBPF more complicated.
  • Also, everytime i do ZBPF, i use the diagrammatic approach that i blogged about earlier . Do check it out if  you have the time. Hope it helps . Also any suggestions are welcome!

Ok, for the first time , i’m going to have a contest here Well, it’s actually a little too simple to be called a “contest” , but, what the heck! Here are the configs for a transparent ZBPF config.

Everytime i try pinging R2 from R1, the packets are getting dropped. I checked the configs and i notice that although i have the match protocol icmp command , it’s dropping the packets as they are heading to the class-default class and getting dropped. I was facing this issue yesterday and , Ryan Schuett pointed out the issue in 20 seconds.

Good luck! Today i’m going to revisit IPX Lab 2A . This time with vengeance

Cheers,

TacACK