From: Jason Madsen (madsen.jason@gmail.com)
Date: Sun Nov 23 2008 - 15:00:35 ARST
Local router traffic can be matched with CBAC using the inspect
"router-traffic" option.
Jason
On Sun, Nov 23, 2008 at 9:23 AM, Reza Toghraee <reza@toghraee.com> wrote:
> Gaurav,
>
> Hope this from my notes help you to make CBAC get clicked in your mind.
>
> Reflexive ACL, CBAC both can be used to turn the router into a stateful
> firewall. A stateful firewall means that when traffic leaves the network,
> it
> is noted in a STATE-TABLE. when traffic tries to come back into network it
> is only allowed in if there is a previously created entry in the state
> table.
>
> for both of these methods, the ROUETR LOCAL TRAFFIC can not be matched. you
> need to do a PBR to a Loobback interface.
>
> What CBAC can do: Traffic Inspection, SYN flood block, Alerts, Audit,
> Intrusion Prevention FOR PROTOCOL WHOCH IT KNOWS.
> CBAC creates temporary entries in ACLs (in oposit direction of packet)
> automatically and hidden
>
> Q: Configure R5 to only allow traffic in Ethernet connection if it has been
> originated from inside use CBAC to do this. for connectivity testing
> purposes ensure that R5 can ping BB2.
>
>
> R5
>
> ip inspect name CBAC tcp
> ip inspect name CBAC udp
> ip inspect name CBAC icmp
> !
> ip access-list extended INBOUND
> permit icmp any host 192.10.1.5 echo-reply
> permit tcp any any eq bgp
> permit tcp any eq bgp any
> !
> interface ethernet 0/0
> ip address 192.10.1.5 255.255.255.0
> ip access-group INBOUND in
> ip inspect CBAC out
> !
>
>
> notes: the inboud ACL is designed to match the router originated traffic.
> CBAC applied outbound, effects inbound traffic, automatically
> creates enties in INBOUND ACL.
>
>
> Regards
> Reza Toghraee
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> GAURAV MADAN
> Sent: Sunday, November 23, 2008 6:46 PM
> To: ccie forum
> Subject: CBAC query
>
> Hi Group
>
> I am really confused ; trying to figure out how CBAC functions and how is
> it
> different from reflexive ACLs.
> Here is what I am trying
>
> ip inspect name TEST tcp
> ip inspect name TEST udp
> ip inspect name TEST icmp
>
> R1---f0/1---------------------------R4
> |f0/0
> |
> ====================
> | |
> R2 R3
>
> If I apply "ip inspect TEST in " on f0/0 of R1 .. what purpose it serves?
> Does it inspect tcp , udp and icmp traffic coming in f0/0 and this is only
> traffic allowed to come to inside network via f0/1
> I mean if I want TCP , UDP and ICMP traffic initiated from inside network
> to
> access outside network ; what will be CBAC way of doing this and how to
> test
> this ?
>
> Is there a good writeup on same .. DOC cd is not very helpful in this
>
> Gaurav Madan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST