From: Vincent Mashburn (vmashburn@fedex.com)
Date: Mon Jan 22 2007 - 11:20:28 ART
By default, CBAC and Reflexive-ACL's do not perform stateful inspection
on any traffic generated from the router that they are configured on
(only transit traffic). Many protocols such as TCP, H.323, SIP, etc.
must be generated from the router at times (depending on your topology),
which is why I believe that these were mentioned in the documentation.
However, ICMP, SNMP, and any other traffic generated by the router will
also not be statefully inspected. What the "router-traffic" key-word
does is allows the CBAC to inspect locally originated traffic. This
will be needed for routing protocols, voice protocols, IP SLA, etc.
Hope this helps.
Vince Mashburn
Sr. Voice / Data Engineer
901-263-5072
CCVP, CCNP
Cisco IP Telephony Support Specialist
Cisco IP Telephony Operations Specialist
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ian Blaney
Sent: Saturday, January 20, 2007 7:48 AM
To: CCIE Groupstudy
Subject: CBAC router-traffic option
Hi
What is the purpose of the router-traffic option in CBACs ip inspect
name
command? From the documentation
(Optional) Enables inspection of traffic destined to or originated
from a router. Applicable only for H.323, TCP, and UDP protocols.
For the command format, see the Note after Table 26.
Note The TCP, UDP, and H.323 protocols support the router-traffic
keyword,
which enables
inspection of traffic destined to or originated from a router. The
command
format is as follows:
ip inspect name inspection-name {TCP | UDP | H323} [alert {on | off}]
[audit-trail {on |
off}][router-traffic][timeout seconds]
If I understand correctly, it would not be necessary to config a filter,
for
example, return telnet traffic from a telnet session directly from the
router as this would be done automatically by CBAC. What about routing
protocol traffic eg OSPF and EIGRP?
Thanks
Ian
This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART