Re: Reflexive ACL and CBAC : Traffic locally generated (BGP)

From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Fri Feb 13 2009 - 10:25:07 ARST

• Next message: Narbik Kocharians: "Re: Triple & Quad CCIE's"
• Previous message: GAURAV MADAN: "refuse-message works with rotary only ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Look out for these restrictions in the exam :-)

I would go to the exam thinking this: I have 2 ways of dealing with the
situation. If a restriction is put on one of them, I use the other one. If
the restriction is on both of them, well.....I am smoked! I would look for
the third way of doing it then :-)

Else, the proctor is my friend anyway (or so we have heard)

HTH,

Sadiq

On Fri, Feb 13, 2009 at 12:14 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe>wrote:

> Hi there,
>
> I find out that in CBAC with "router-traffic" option (for instance : ip
> inspect name CCIE-CBAC tcp router-traffic) can be solved.
>
> Then the issue is just with RACL,
>
> Regards
>
> ----- Original Message ----- From: "Edouard Zorrilla" <
> ezorrilla@tsf.com.pe>
> To: <security@groupstudy.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Friday, February 13, 2009 6:44 AM
> Subject: Reflexive ACL and CBAC : Traffic locally generated (BGP)
>
>
>
> Hi,
>>
>> We know that locally generated traffic is not affected by outbound
>> access-lists. This means that the local BGP traffic going out will not be
>> subject to the reflection of the ACL, hence when evaluation occurs inbound
>> the
>> return BGP session will be denied.
>>
>> In the LAB:
>>
>> If I am asked to run into RACL or CBAC,
>>
>> 1.-
>> Should I use local policy routing, as this forces the traffic to be
>> treated as
>> transit traffic and so it is reflected by outbound access-list ?
>>
>> or
>>
>> 2.-
>> Should I fix this statically permit the session back inbound with a
>> specific
>> ACLs ?
>>
>>
>> Any advice would be appreciated !
>>
>> Thanks,
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net

• Next message: Narbik Kocharians: "Re: Triple & Quad CCIE's"
• Previous message: GAURAV MADAN: "refuse-message works with rotary only ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:11 ARST