From: Ben (ccieben@cox.net)
Date: Wed Jun 07 2006 - 15:59:58 ART
Hi Carlos,
The "established" keyword in a router ACL is just checking for the TCP
ACK or RST bit set in the header:
"For the TCP protocol only: Indicates an established connection. A match
occurs if the TCP datagram has the ACK or RST bit set. The nonmatching
case is that of the initial TCP datagram to form a connection."
So, in theory, if someone was altering the header info - the packet
would pass through your ACL.
In contrast - the reflexive list is a sort-of-stateful-firewall-like
mechanism that only allows the return traffic it was originated by
matching your reflect statement. You can see these reflexive entries
with a "show access-list"
HTH
Ben
Carlos Campos Torres (ccampost) wrote:
> Hi all,
>
> Just wondering what the difference between allowing telnet in a
> reflexive ACL and just creating an access-list with the established
> keyword would be.
>
> Example: In Internetwork Experts Lab 5 Task 9.1 they ask to have telnet
> connectivity if a router started the connection
>
> Option 1)
>
> R2(config)#ip access-list extended INBOUND
> R2(config-ext-nacl)#permit tcp any eq telnet any established
>
> Option 2)
> R2(config)#ip access-list extended INBOUND
> R2(config-ext-nacl)#evaluate REFLECT
> R2(config)#ip access-list extended OUTBOUND
> R2(config-ext-nacl)#permit tcp any any eq telnet reflect REFLECT
>
> What would be the difference between doing it one way or the other?
>
> Any comments will be highly appreciated
>
> Thanks!
>
> Carlos Campos
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:32 ART