Re: Reflexive ACL v/s Established key ACL

From: Rodia Rascall (polarccie@yahoo.co.uk)
Date: Thu May 01 2003 - 14:30:28 GMT-3

• Next message: Carlos: "RE: mutual redistribution"
• Previous message: Rodia Rascall: "RE: complex prefix-list and extended ACL scenario"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

reflexive acceess lists are created only during the
session, and are harder to spoof..
you can bypass an "tcp established" acl by setting ack
or rst fields of a tcp packet..
so
reflexive acl s are a gives a finer control in terms
of security

 --- Cristian Henry <chenry@reuna.cl> wrote: > Just to
test if I got a correct understanting about
> it.
> Are the following configurations same?, thanks for
> your valuable opinion
>
> Config 1:
> interface ethernet0
> ip access-group 102 in
> !
> access-list 102 permit tcp any any gt 1023
> established
>
> Config 2:
>
> interface ethernet0
> ip access-group inboundfilters in
> ip access-group outboundfilters out
> !
> ip access-list extended outboundfilters
> permit tcp any any reflect tcptraffic
> !
> ip access-list extended inboundfilters
> evaluate tcptraffic
> !
> ip reflexive-list timeout 120
>
>
>
> --
> Cristian E. Henry
> REUNA

• Next message: Carlos: "RE: mutual redistribution"
• Previous message: Rodia Rascall: "RE: complex prefix-list and extended ACL scenario"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:35 GMT-3