Re: udp reflexive access-list

From: san (san.study@gmail.com)
Date: Sat Jun 17 2006 - 12:02:55 ART

• Next message: Arun Arumuganainar: "Re: What does FECN do?"
• Previous message: Maximus: "udp reflexive access-list"
• Maybe in reply to: Maximus: "udp reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Maximus,

Reflexive ACLS can be used for tcp, udp and icmp.....
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_refer
ence_chapter09186a00800ca7bb.html

Characteristics of Reflexive Access List Entries
---------------------------------------------------------------------

This command enables the creation of temporary entries in the same reflexive
access list that was defined by this command. The temporary entries are
created when a packet exiting your network matches the protocol specified in
this command. (The packet "triggers" the creation of a temporary entry.)
These entries have the following characteristics:

The entry is a *permit* entry.

The entry specifies the same IP upper-layer protocol as the original
triggering packet.

The entry specifies the same source and destination addresses as the
original triggering packet, except the addresses are swapped.

If the original triggering packet is TCP or UDP, the entry specifies the
same source and destination port numbers as the original packet, except the
port numbers are swapped.

If the original triggering packet is a protocol other than TCP or UDP, port
numbers do not apply, and other criteria are specified. For example, for
ICMP, type numbers are used: the temporary entry specifies the same type
number as the original packet (with only one exception: if the original ICMP
packet is type 8, the returning ICMP packet must be type 0 to be matched).

The entry inherits all the values of the original triggering packet, with
exceptions only as noted in the previous four bullets.

IP traffic entering your internal network will be evaluated against the
entry, until the entry expires. If an IP packet matches the entry, the
packet will be forwarded into your network.

The entry will expire (be removed) after the last packet of the session is
matched.

If no packets belonging to the session are detected for a configurable
length of time (the timeout period), the entry will expire.

On 6/17/06, Maximus <victorius@gmail.com> wrote:
>
> hey dont u think its stupid to reflect udp ? cause udp is a connectionless
> protocol... so traffic is unidirectional rite ?
>
>
> ip access-list extended OUTBOUND
> permit tcp any any reflect REFLEXIVE
> permit udp any any reflect REFLEXIVE
> permit icmp any any reflect REFLEXIVE
>
> --
> regards,
>
> Maximus
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

--
Thanks & Rgds
SAN

• Next message: Arun Arumuganainar: "Re: What does FECN do?"
• Previous message: Maximus: "udp reflexive access-list"
• Maybe in reply to: Maximus: "udp reflexive access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 01 2006 - 07:57:33 ART