From: Scott Morris (smorris@ipexpert.com)
Date: Thu Feb 14 2008 - 11:55:12 ARST
And you answer your own question there. In your solution, is there an
"inside" and "outside" interface?
With IP inspect, you actually only need to apply it on one interface as
either an inbound or outbound rule, and it does the rest of the magic.
With reflexive ACLs, you need TWO ACLs in place. One to "reflect" upon the
traffic (presumably the inside interface) and the other to "evaluate" the
table (the outside interface for return traffic).
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE-M
#153, JNCIS-ER, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
VP - Technical Training - IPexpert, Inc.
IPexpert Sr. Technical Instructor
A Cisco Learning Partner - We Accept Learning Credits!
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
http://www.ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Fang
Gao
Sent: Wednesday, February 13, 2008 11:16 PM
To: Rich Collins; wael sabry
Cc: Rik Guyler; ccielab@groupstudy.com
Subject: Re: CBAC vs. Reflexive ACL
Hi,
If I did not read the solution guide, I would use CBAC to fulfill the
requirement, because the key words "inside interface" and "outside
interface" are good hints for firewall.
CBAC solution is the straightforward and the simplest for the requirement.
In the lab exam, the simple solution is the better, is it right?
However, I do not understand why Reflexive-ACL is preferred in this case.
The following code works.
Thanks
R4(config)# interface f0/0
ip access-group ACL in
ip inspect CBAC out
ip access-list ext ACL
permit udp any any eq rip
deny ip any any
ip inspect name CBAC udp
ip inspect name CBAC tcp router-traffic
ip inspect name CBAC icmp router-traffic
On Feb 12, 2008 4:53 PM, Rich Collins <nilsi2002@gmail.com> wrote:
> Another key word to look for is timeout. How long to hold a (tcp)
> session and different thresholds which can be set to drop sessions
> which do not become fully established - as Rik has mentioned.
>
> As I recall CBAC only offers a subset of functions for locally
> generated traffic.
>
> -Rich
>
> On Feb 12, 2008 9:48 AM, Rik Guyler <rik@guyler.net> wrote:
>
> > CBAC also adds a component of stateful inspection to the ACL
> > function, which RACLs don't do. If the question asks you simply to
> > allow return traffic then a RACL should do it but if the question
> > leads you towards
> intelligent
> > or stateful filtering (possibly with keywords, such as Internet,
> hackers,
> > etc.) then you could consider CBAC.
> >
> > Rik
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > Of wael sabry
> > Sent: Tuesday, February 12, 2008 7:25 AM
> > To: ccielab@groupstudy.com
> > Subject: CBAC vs. Reflexive ACL
> >
> > Hello,
> >
> > Is there any advice about when to use CBAC and when use Reflexive
> > ACL, many tasks in IE that need to permit locally traffic
> > (tcp/udp/icmp) to be returned back most of these Tasks have been
> > solved by Reflexive ACL and then needed to add route-map to match
> > locally generated traffic of the router
> .
> > My Question why not to use CBAC with router-traffic key word.
> >
> > For Example Task 8-1 in Lab 5.
> >
> > Regards,
> >
> > Wael Sabry
> >
> >
> > _________________________________________________________________
> > Connect and share in new ways with Windows Live.
> >
> >
> http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_0
> 12008
> >
> > ____________________________________________________________________
> > ___ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > ____________________________________________________________________
> > ___ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:48 ARST