Re: CBAC vs. Reflexive ACL

From: Daniel Valle (danielfrvalle@gmail.com)
Date: Tue Feb 12 2008 - 13:48:59 ARST

• Next message: mohamed ouamer: "RE: Banner command"
• Previous message: Rik Guyler: "RE: CBAC vs. Reflexive ACL"
• Maybe in reply to: wael sabry: "CBAC vs. Reflexive ACL"
• Next in thread: Rich Collins: "Re: CBAC vs. Reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Wael,
I think you should use reflexive acls as much as you can. however, I don'
think it's a good option to use the ip local policy routep-map xxx keyword.
Instead. manually permit the traffic inbound on the desired interface.

The reason for that is simple: all local traffic will matching the acl will
make the reflexive entry to be added. the bad part of is is that even a
packet matching the acl and an exiting an interface different from where the
reflexive acl is applied, will also have the reflexive acl incremented. Ex .
the reflexive acl is applied in f0/0. if a packet leaves F0/1 and matches
the acl ( ex. permit tcp any any ) will make the f0/0 interface have the
reflected acl for that packet.

I don' know if in the exam you fail for that. maybe someone else might
answer ! If I were you, i'd do the static permits inbound.

CBAC does not create an acl, instead it records the state of the flow
traversing the interface. It' a bit different from the acls, because it does
not consider only layer 3 and 4.

ex. if your question says to configure an ACL, CBAC is not an option.

HTH,

Daniel

On Feb 12, 2008 10:25 AM, wael sabry <eng_waelsabry@hotmail.com> wrote:

> Hello,
>
> Is there any advice about when to use CBAC and when use Reflexive ACL,
> many
> tasks in IE that need to permit locally traffic (tcp/udp/icmp) to be
> returned
> back most of these Tasks have been solved by Reflexive ACL and then needed
> to
> add route-map to match locally generated traffic of the router .
> My Question why not to use CBAC with router-traffic key word.
>
> For Example Task 8-1 in Lab 5.
>
> Regards,
>
> Wael Sabry
>
>
> _________________________________________________________________
> Connect and share in new ways with Windows Live.
>
> http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: mohamed ouamer: "RE: Banner command"
• Previous message: Rik Guyler: "RE: CBAC vs. Reflexive ACL"
• Maybe in reply to: wael sabry: "CBAC vs. Reflexive ACL"
• Next in thread: Rich Collins: "Re: CBAC vs. Reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:48 ARST