Re: CBAC router-traffic option

From: Ian Blaney (ian.blaney@gmail.com)
Date: Mon Jan 22 2007 - 11:37:56 ART

• Next message: Andrew Larkins: "RE: Limit on TFTP file size - funny that should not work but"
• Previous message: Vincent Mashburn: "RE: CBAC router-traffic option"
• Maybe in reply to: Ian Blaney: "CBAC router-traffic option"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Vince

I just wanted to be clear as I don't have the appropriate IOS to test it. If
I understand correctly it is applicable only for H.323, TCP, and UDP
protocols so things like telnet and SNMP will be inspected but protocols
like ICMP, PIM, OSPF and EIGRP will have to specifically allowed.

Thanks
Ian

On 1/22/07, Vincent Mashburn <vmashburn@fedex.com> wrote:
>
> By default, CBAC and Reflexive-ACL's do not perform stateful inspection
> on any traffic generated from the router that they are configured on
> (only transit traffic). Many protocols such as TCP, H.323, SIP, etc.
> must be generated from the router at times (depending on your topology),
> which is why I believe that these were mentioned in the documentation.
> However, ICMP, SNMP, and any other traffic generated by the router will
> also not be statefully inspected. What the "router-traffic" key-word
> does is allows the CBAC to inspect locally originated traffic. This
> will be needed for routing protocols, voice protocols, IP SLA, etc.
> Hope this helps.
>
> Vince Mashburn
> Sr. Voice / Data Engineer
> 901-263-5072
> CCVP, CCNP
> Cisco IP Telephony Support Specialist
> Cisco IP Telephony Operations Specialist
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Ian Blaney
> Sent: Saturday, January 20, 2007 7:48 AM
> To: CCIE Groupstudy
> Subject: CBAC router-traffic option
>
> Hi
>
> What is the purpose of the router-traffic option in CBACs ip inspect
> name
> command? From the documentation
>
> (Optional) Enables inspection of traffic destined to or originated
> from a router. Applicable only for H.323, TCP, and UDP protocols.
> For the command format, see the Note after Table 26.
>
> Note The TCP, UDP, and H.323 protocols support the router-traffic
> keyword,
> which enables
> inspection of traffic destined to or originated from a router. The
> command
> format is as follows:
> ip inspect name inspection-name {TCP | UDP | H323} [alert {on | off}]
> [audit-trail {on |
> off}][router-traffic][timeout seconds]
>
> If I understand correctly, it would not be necessary to config a filter,
> for
> example, return telnet traffic from a telnet session directly from the
> router as this would be done automatically by CBAC. What about routing
> protocol traffic eg OSPF and EIGRP?
>
> Thanks
> Ian
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Andrew Larkins: "RE: Limit on TFTP file size - funny that should not work but"
• Previous message: Vincent Mashburn: "RE: CBAC router-traffic option"
• Maybe in reply to: Ian Blaney: "CBAC router-traffic option"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Feb 08 2007 - 23:46:57 ART