From: Peter (peter@cyscoexpert.com)
Date: Mon Apr 28 2003 - 10:30:46 GMT-3
Reflexive access-lists only open holes in access-lists for return traffic of
one-channel applications (e.g. telnet, web) or passive FTP (2-channel). Only
layer 3 and 4 information is read in a packet.
CBAC does the same thing (opens holes for return traffic) but also works
with multi-channel apps (e.g. both FTP types, multimedia). CBAC inspects the
whole packet to find port numbers in use.
Reflexive access-lists won't work with apps using changing port numbers,
while CBAC will, since it is reading much deeper into the packet.
_____________________________
Peter
#7247 (R&S, Security, C&S)
CyscoExpert Corp.
4433 W. Touhy Ave. Suite 410
Lincolnwood, IL 60712
Phone (847) 674-3392
Toll Free (866) CyscoXP (297-2697)
Fax (847) 674-2625
----- Original Message -----
From: "j" <wkfrktpdy@hotmail.com>
To: <ccielab@groupstudy.com>
Sent: Monday, April 28, 2003 12:12 AM
Subject: CBAC and reflexive ACL
> Can anybody shed some light the difference between using
> CBAC and reflexive access-lists ?
> They both seem to have same functionality.
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:36:08 GMT-3