RE: Reflecxive access lists

From: Scott Morris (swm@emanon.com)
Date: Sat Jul 19 2008 - 10:59:00 ART

• Next message: Scott Morris: "RE: BGP C & R...?"
• Previous message: Scott Morris: "RE: CCIE R&S New Sylabus"
• Maybe in reply to: Ibrahim kabir: "Reflecxive access lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

a nutshell, there are two pieces. The ACL that defines what traffic is
allowed to leave the network, and the ACL that defines what traffic is
allowed to come back in to the network.
 
In between those, we have what boils down to a state table. (You've heard
of a stateful firewall, right?)
 
You define what entries are made to the state table with your ACL for
traffic leaving. You can "permit ip any any reflect Table-Name" if you want
to allow everything out, but put entries in the table.
 
On the ACL coming back in, in order to protect your network you may have
something like:
 
access-list 101 permit tcp any host 100.1.1.11 eq pop3
access-list 101 permit tcp any host 100.1.1.11 eq smtp
access-list 101 permit tcp any host 100.1.1.12 eq www
access-list 101 deny ip any any
 
Now, that definitely protects the network because it only allowed e-mail
traffic and web server traffic. But it really doesn't help with the
outbound communications!
 
So, since we're building our state table, we need to remind the router to
check it!
 
no access-list 101
access-list 101 permit tcp any host 100.1.1.11 eq pop3
access-list 101 permit tcp any host 100.1.1.11 eq smtp
access-list 101 permit tcp any host 100.1.1.12 eq www
access-list 101 evaluate Table-Name
access-list 101 deny ip any any log
 
And now any entries of the state table will be checked and allowed back in.
 
This has more floating pieces than CBAC does, but since it's still on the
blueprint, we should at least be vaguely familiar with its configuration!
 
HTH,
 

Scott Morris, CCIE4 #4713, JNCIE-M #153, JNCIS-ER, CISSP, et al.
CCSI/JNCI-M/JNCI-ER
Senior CCIE Instructor

smorris@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344
Online Community: http://www.IEOC.com
CCIE Blog: http://blog.internetworkexpert.com

Knowledge is power.
Power corrupts.
Study hard and be Eeeeviiiil......
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Ibrahim kabir
Sent: Saturday, July 19, 2008 4:01 AM
To: ccielab@groupstudy.com
Subject: Reflecxive access lists

Hello guys,

Am having a tough time understanding reflecxive access-lists. Read the
documentation but its way too hard to understand. Pls could someone help me
out with a link or explain it better for me.

Thanks Kabir K IbrahimB.sc CCNA CCNP CCDA CCDP MCP

• Next message: Scott Morris: "RE: BGP C & R...?"
• Previous message: Scott Morris: "RE: CCIE R&S New Sylabus"
• Maybe in reply to: Ibrahim kabir: "Reflecxive access lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:55 ART