From: Pavel Bykov (slidersv@gmail.com)
Date: Mon Nov 24 2008 - 04:17:20 ARST
Whoa, Jason, this goes directly into my notes once I verify it in the lab.
This is great. Thanks!
On Sun, Nov 23, 2008 at 6:00 PM, Jason Madsen <madsen.jason@gmail.com>wrote:
> Local router traffic can be matched with CBAC using the inspect
> "router-traffic" option.
>
> Jason
>
> On Sun, Nov 23, 2008 at 9:23 AM, Reza Toghraee <reza@toghraee.com> wrote:
>
> > Gaurav,
> >
> > Hope this from my notes help you to make CBAC get clicked in your mind.
> >
> > Reflexive ACL, CBAC both can be used to turn the router into a stateful
> > firewall. A stateful firewall means that when traffic leaves the network,
> > it
> > is noted in a STATE-TABLE. when traffic tries to come back into network
> it
> > is only allowed in if there is a previously created entry in the state
> > table.
> >
> > for both of these methods, the ROUETR LOCAL TRAFFIC can not be matched.
> you
> > need to do a PBR to a Loobback interface.
> >
> > What CBAC can do: Traffic Inspection, SYN flood block, Alerts, Audit,
> > Intrusion Prevention FOR PROTOCOL WHOCH IT KNOWS.
> > CBAC creates temporary entries in ACLs (in oposit direction of packet)
> > automatically and hidden
> >
> > Q: Configure R5 to only allow traffic in Ethernet connection if it has
> been
> > originated from inside use CBAC to do this. for connectivity testing
> > purposes ensure that R5 can ping BB2.
> >
> >
> > R5
> >
> > ip inspect name CBAC tcp
> > ip inspect name CBAC udp
> > ip inspect name CBAC icmp
> > !
> > ip access-list extended INBOUND
> > permit icmp any host 192.10.1.5 echo-reply
> > permit tcp any any eq bgp
> > permit tcp any eq bgp any
> > !
> > interface ethernet 0/0
> > ip address 192.10.1.5 255.255.255.0
> > ip access-group INBOUND in
> > ip inspect CBAC out
> > !
> >
> >
> > notes: the inboud ACL is designed to match the router originated
> traffic.
> > CBAC applied outbound, effects inbound traffic, automatically
> > creates enties in INBOUND ACL.
> >
> >
> > Regards
> > Reza Toghraee
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > GAURAV MADAN
> > Sent: Sunday, November 23, 2008 6:46 PM
> > To: ccie forum
> > Subject: CBAC query
> >
> > Hi Group
> >
> > I am really confused ; trying to figure out how CBAC functions and how is
> > it
> > different from reflexive ACLs.
> > Here is what I am trying
> >
> > ip inspect name TEST tcp
> > ip inspect name TEST udp
> > ip inspect name TEST icmp
> >
> > R1---f0/1---------------------------R4
> > |f0/0
> > |
> > ====================
> > | |
> > R2 R3
> >
> > If I apply "ip inspect TEST in " on f0/0 of R1 .. what purpose it serves?
> > Does it inspect tcp , udp and icmp traffic coming in f0/0 and this is
> only
> > traffic allowed to come to inside network via f0/1
> > I mean if I want TCP , UDP and ICMP traffic initiated from inside network
> > to
> > access outside network ; what will be CBAC way of doing this and how to
> > test
> > this ?
> >
> > Is there a good writeup on same .. DOC cd is not very helpful in this
> >
> > Gaurav Madan
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Pavel Bykov ---------------- Don't forget to help stopping the braindumps, use of which reduces value of your certifications. Sign the petition at http://www.stopbraindumps.com/Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:31 ARST