Re: CBAC vs. Reflexive ACL

From: Fang Gao (fanggao@gmail.com)
Date: Thu Feb 14 2008 - 13:02:01 ARST

• Next message: Cielieska Nathan: "Re: Finally Pass Voice Lab on first attempt"
• Previous message: jatinder.p.singh@bt.com: "RE: Finally Pass Voice Lab on first attempt"
• Maybe in reply to: wael sabry: "CBAC vs. Reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi, Scott,

The keywords "inside interface" and "outside interface" are mentioned in the
requirement of IE Task 8-1 in Lab 5. I did not describe it clearly in my
previous email..

Thank you very much

Fang

On Thu, Feb 14, 2008 at 8:55 AM, Scott Morris <smorris@ipexpert.com> wrote:

> And you answer your own question there. In your solution, is there an
> "inside" and "outside" interface?
>
> With IP inspect, you actually only need to apply it on one interface as
> either an inbound or outbound rule, and it does the rest of the magic.
>
> With reflexive ACLs, you need TWO ACLs in place. One to "reflect" upon
> the
> traffic (presumably the inside interface) and the other to "evaluate" the
> table (the outside interface for return traffic).
>
> HTH,
>
>
> Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713,
> JNCIE-M
> #153, JNCIS-ER, CISSP, et al.
> CCSI/JNCI-M/JNCI-ER
> VP - Technical Training - IPexpert, Inc.
> IPexpert Sr. Technical Instructor
>
> A Cisco Learning Partner - We Accept Learning Credits!
>
> smorris@ipexpert.com
>
>
>
> Telephone: +1.810.326.1444
> Fax: +1.810.454.0130
> http://www.ipexpert.com
>
>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Fang
> Gao
> Sent: Wednesday, February 13, 2008 11:16 PM
> To: Rich Collins; wael sabry
> Cc: Rik Guyler; ccielab@groupstudy.com
> Subject: Re: CBAC vs. Reflexive ACL
>
> Hi,
>
> If I did not read the solution guide, I would use CBAC to fulfill the
> requirement, because the key words "inside interface" and "outside
> interface" are good hints for firewall.
>
> CBAC solution is the straightforward and the simplest for the requirement.
> In the lab exam, the simple solution is the better, is it right?
>
> However, I do not understand why Reflexive-ACL is preferred in this case.
>
> The following code works.
>
> Thanks
>
>
> R4(config)# interface f0/0
> ip access-group ACL in
> ip inspect CBAC out
>
> ip access-list ext ACL
> permit udp any any eq rip
> deny ip any any
>
> ip inspect name CBAC udp
> ip inspect name CBAC tcp router-traffic
> ip inspect name CBAC icmp router-traffic
>
>
>
>
> On Feb 12, 2008 4:53 PM, Rich Collins <nilsi2002@gmail.com> wrote:
>
> > Another key word to look for is timeout. How long to hold a (tcp)
> > session and different thresholds which can be set to drop sessions
> > which do not become fully established - as Rik has mentioned.
> >
> > As I recall CBAC only offers a subset of functions for locally
> > generated traffic.
> >
> > -Rich
> >
> > On Feb 12, 2008 9:48 AM, Rik Guyler <rik@guyler.net> wrote:
> >
> > > CBAC also adds a component of stateful inspection to the ACL
> > > function, which RACLs don't do. If the question asks you simply to
> > > allow return traffic then a RACL should do it but if the question
> > > leads you towards
> > intelligent
> > > or stateful filtering (possibly with keywords, such as Internet,
> > hackers,
> > > etc.) then you could consider CBAC.
> > >
> > > Rik
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> > > Of wael sabry
> > > Sent: Tuesday, February 12, 2008 7:25 AM
> > > To: ccielab@groupstudy.com
> > > Subject: CBAC vs. Reflexive ACL
> > >
> > > Hello,
> > >
> > > Is there any advice about when to use CBAC and when use Reflexive
> > > ACL, many tasks in IE that need to permit locally traffic
> > > (tcp/udp/icmp) to be returned back most of these Tasks have been
> > > solved by Reflexive ACL and then needed to add route-map to match
> > > locally generated traffic of the router
> > .
> > > My Question why not to use CBAC with router-traffic key word.
> > >
> > > For Example Task 8-1 in Lab 5.
> > >
> > > Regards,
> > >
> > > Wael Sabry
> > >
> > >
> > > _________________________________________________________________
> > > Connect and share in new ways with Windows Live.
> > >
> > >
> > http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_0
> > 12008
> > >
> > > ____________________________________________________________________
> > > ___ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > > ____________________________________________________________________
> > > ___ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Cielieska Nathan: "Re: Finally Pass Voice Lab on first attempt"
• Previous message: jatinder.p.singh@bt.com: "RE: Finally Pass Voice Lab on first attempt"
• Maybe in reply to: wael sabry: "CBAC vs. Reflexive ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:48 ARST