From: "Brian Dennis" <bdennis@internetworkexpert.com>
To: "Cham" <chamandeep.gill@gmail.com>, <ccielab@groupstudy.com>
Date: Fri, 25 Nov 2005 14:12:41 -0500
Subject: RE: Reflexive ACL - IE LAB2 Q10.8-10
       What does a reflexive ACL do?  Reflexive ACL's watch the packet
(reflect) and allow it to return (evaluate).  When a packet is reflected
the mirror image of that packet must be the one that returns.  If it is
not, then it can not be properly evaluated.  Reflexive ACLs do not work
for any traffic that does not behave in this straight forward manner.
Standard FTP and TFTP are examples of applications that do not work in
this straight forward manner of a mirror image of the packet returning.

       In Cisco's IOS implementation of traceroute, the first packet
sent out is a UDP packet destined to port 33434 but the packet sent back
by the routers in the path is an ICMP time-exceeded when the TTL is
decremented to 0.  Finally in Cisco's implementation the final
destination sends an ICMP port-unreachable.

       So now that we understand how traceroute is implemented by Cisco
IOS and how reflexive ACLs work, we know that we need to "statically"
permit ICMP time-exceeded and ICMP port-unreachables in order for
traceroute to work.
: