RE: 'established' vs. reflexive acl

From: John Matus (john_matus@hotmail.com)
Date: Wed Mar 02 2005 - 17:04:57 GMT-3

• Next message: John Matus: "Re: 'established' vs. reflexive acl"
• Previous message: Mihai Petcu: "Re: Packet Distribution"
• Maybe in reply to: John Matus: "'established' vs. reflexive acl"
• Next in thread: John Matus: "Re: 'established' vs. reflexive acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

OK,
so what is the practical difference between only allowing an inbound telnet
session with the ack bit set, and letting a dynamic tcp session return
inbound. i'm not sure i understand the difference.
i know that the ack bit is set when it has undergone part of the three-way
handshake, so that at least in theory guarantees that it was initiated
outbound....but if you have a reflexive access-list like the one below that
created a dynamic entry for outbound tcp session but also has the inbound
access-list permit telnet traffic before the extended acl is evaluated, does
that override the dynamic entry and not guarantee that the telnet session
was initiated from the inside?

i suppose rather than:
access-l extended inbound
   permit tcp any any eq telnet
   evaluate myreflect

i could have but:
access-l extended inbound
   permit tcp any any eq port-unreachables
     permit tcp any any eq time-exceeded
   evaluate myreflect

so, what would be the difference between this last extended acl and:
'access-l 101 permit tcp any any eq telnet established' ?

>From: "Scott Morris" <swm@emanon.com>
>Reply-To: <swm@emanon.com>
>To: "'John Matus'" <john_matus@hotmail.com>,<ccielab@groupstudy.com>
>Subject: RE: 'established' vs. reflexive acl
>Date: Wed, 2 Mar 2005 14:40:02 -0500
>
>Established only covers tcp sessions with the 'ack' bit.
>
>Given the examples below, the reflexive acl only works for TCP as well, so
>there really is no difference. However, reflexive ACLs can work for UDP
>and
>ICMP as well, so don't limit yourself!
>
>Scott
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>John
>Matus
>Sent: Wednesday, March 02, 2005 2:29 PM
>To: ccielab@groupstudy.com
>Subject: 'established' vs. reflexive acl
>
>i'm a bit confused about the difference between the following 2 ACL's.
>
>int e0/0
>ip access-group 101 in
>access-list 101 permit tcp any any eq telnet established
>
>AND
>
>int e0/0
>ip access-group inbound in
>ip access-group outbound out
>
>access-l extended inbound
> permit tcp any any eq telnet
> evaluate myreflect
>
>access-l extended outbound
> permit tcp any any reflect myreflect
>
>
>does the established keyword only allow a session that was initiated
>outbound then return inbound?
>
>_________________________________________________________________
>On the road to retirement? Check out MSN Life Events for advice on how to
>get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>

• Next message: John Matus: "Re: 'established' vs. reflexive acl"
• Previous message: Mihai Petcu: "Re: Packet Distribution"
• Maybe in reply to: John Matus: "'established' vs. reflexive acl"
• Next in thread: John Matus: "Re: 'established' vs. reflexive acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:39 GMT-3