From: Jason Madsen (madsen.jason@gmail.com)
Date: Sun Nov 23 2008 - 14:59:41 ARST
the main differences between RACL and CBAC that come to my mind include:
1.) RACLs inspect at levels 3, 4, and 5, whereas CBAC inspects up to layer 7
2.) RACLs require a Reflect entry in an ACL going from trust to unstrust and
an Evaluate ACL entry going from untrust to trust (place to create the
temporary permit(s) for the return traffic). CBAC requires CBAC-specific
configuration going from the trust to untrust direction only.
3.) RACLs create temporary ACL entries for return traffic that was specified
and orginated on the trust side (show ip access will reveal them). CBAC
uses fast switching and places these temporary entries in the FIB.
4.) CBAC uses less router processor and memory and process utilization than
RACLs.
to apply CBAC in your below scenario or any other scenario for that matter,
CBAC is NOT used to deny or allow trusted traffic "out". it is to track
connections (states) and allow specified untrust-to-trust traffic IN to your
network in response to the trust-to-untrust traffic that initiated it.
to answer your other question, "what purpose does it serve to apply your
inspect statement in on f0/0 of R1", this would identify trusted traffic and
then allow its return traffic back into your network from the untrust side
even if there's a "deny ip any any" type ACL there. CBAC in this fasion
would have nothing to do with traffic from R2 and R3 that R1 would allow in
f0/0.
there are decent examples of both RACLs and CBAC in the Doc CD. just look
under 12.4 --> Security --> Traffic Filtering, Firewalls, and Virus
Protection. of course there's the "established" ACL feature as well. it
doesn't really track the states of connections though. it just checks TCP
control flags.
Jason
On Sun, Nov 23, 2008 at 7:45 AM, GAURAV MADAN <gauravmadan1177@gmail.com>wrote:
> Hi Group
>
> I am really confused ; trying to figure out how CBAC functions and how is
> it
> different from reflexive ACLs.
> Here is what I am trying
>
> ip inspect name TEST tcp
> ip inspect name TEST udp
> ip inspect name TEST icmp
>
> R1---f0/1---------------------------R4
> |f0/0
> |
> ====================
> | |
> R2 R3
>
> If I apply "ip inspect TEST in " on f0/0 of R1 .. what purpose it serves?
> Does it inspect tcp , udp and icmp traffic coming in f0/0 and this is only
> traffic allowed to come to inside network via f0/1
> I mean if I want TCP , UDP and ICMP traffic initiated from inside network
> to
> access outside network ; what will be CBAC way of doing this and how to
> test
> this ?
>
> Is there a good writeup on same .. DOC cd is not very helpful in this
>
> Gaurav Madan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST