Re: CBAC vs. Reflexive ACL

From: Fang Gao (fanggao@gmail.com)
Date: Thu Feb 14 2008 - 02:15:37 ARST

• Next message: Amir.Tahir/Wateen/Lahore: "RE: CCIE lab date Dubai for sale - Looser"
• Previous message: keith tokash: "RE: CCIE lab date Dubai for sale"
• Maybe in reply to: wael sabry: "CBAC vs. Reflexive ACL"
• Next in thread: Scott Morris: "RE: CBAC vs. Reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

If I did not read the solution guide, I would use CBAC to fulfill the
requirement, because the key words "inside interface" and "outside
interface" are good hints for firewall.

CBAC solution is the straightforward and the simplest for the requirement.
In the lab exam, the simple solution is the better, is it right?

However, I do not understand why Reflexive-ACL is preferred in this case.

The following code works.

Thanks

R4(config)# interface f0/0
   ip access-group ACL in
   ip inspect CBAC out

ip access-list ext ACL
   permit udp any any eq rip
   deny ip any any

ip inspect name CBAC udp
ip inspect name CBAC tcp router-traffic
ip inspect name CBAC icmp router-traffic

On Feb 12, 2008 4:53 PM, Rich Collins <nilsi2002@gmail.com> wrote:

> Another key word to look for is timeout. How long to hold a (tcp) session
> and different thresholds which can be set to drop sessions which do not
> become fully established - as Rik has mentioned.
>
> As I recall CBAC only offers a subset of functions for locally generated
> traffic.
>
> -Rich
>
> On Feb 12, 2008 9:48 AM, Rik Guyler <rik@guyler.net> wrote:
>
> > CBAC also adds a component of stateful inspection to the ACL function,
> > which
> > RACLs don't do. If the question asks you simply to allow return traffic
> > then a RACL should do it but if the question leads you towards
> intelligent
> > or stateful filtering (possibly with keywords, such as Internet,
> hackers,
> > etc.) then you could consider CBAC.
> >
> > Rik
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > wael
> > sabry
> > Sent: Tuesday, February 12, 2008 7:25 AM
> > To: ccielab@groupstudy.com
> > Subject: CBAC vs. Reflexive ACL
> >
> > Hello,
> >
> > Is there any advice about when to use CBAC and when use Reflexive ACL,
> > many
> > tasks in IE that need to permit locally traffic (tcp/udp/icmp) to be
> > returned back most of these Tasks have been solved by Reflexive ACL and
> > then
> > needed to add route-map to match locally generated traffic of the router
> .
> > My Question why not to use CBAC with router-traffic key word.
> >
> > For Example Task 8-1 in Lab 5.
> >
> > Regards,
> >
> > Wael Sabry
> >
> >
> > _________________________________________________________________
> > Connect and share in new ways with Windows Live.
> >
> >
> http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Amir.Tahir/Wateen/Lahore: "RE: CCIE lab date Dubai for sale - Looser"
• Previous message: keith tokash: "RE: CCIE lab date Dubai for sale"
• Maybe in reply to: wael sabry: "CBAC vs. Reflexive ACL"
• Next in thread: Scott Morris: "RE: CBAC vs. Reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:48 ARST