Re: CBAC from Anantha Subramanian Natarajan on 2009-09-07 (Ccielab archives 09/2009)

From: Anantha Subramanian Natarajan <anantha.natarajan_at_gravitant.com>
Date: Sun, 6 Sep 2009 22:18:16 -0500

Hi Jacob,

Thanks and if possible will try to SPAN the port and verify.

Regards
Anantha Subramanian Natarajan

On Sun, Sep 6, 2009 at 10:07 PM, Jacob Uecker <juecker_at_ccbootcamp.com>wrote:

> I have always heard of using TCP RSTs instead of FINs. You could always
> use a SPAN port and check :)
>
>
>
> Thanks,
>
> Jacob Uecker
> CCIE# 24481
>
> Development Engineer
> CCBOOTCAMP - Cisco Learning Solutions Partner (CLSP)
> Toll Free: 877-654-2243
> International: +1-702-968-5100
> Skype: skype:ccbootcamp?call
> FAX: +1-702-446-8012
>
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
>
> ________________________________
>
> From: nobody_at_groupstudy.com on behalf of Anantha Subramanian Natarajan
> Sent: Sun 9/6/2009 7:21 PM
> To: Scott M Vermillion; Cisco certification
> Subject: Re: CBAC
>
>
>
> Thank you Scott M Vermillion for your thoughts and inferences.
>
> Regards
> Anantha Subramanian Natarajan
>
> On Sun, Sep 6, 2009 at 9:19 PM, Scott M Vermillion <
> scott_ccie_list_at_it-ag.com> wrote:
>
> > My understanding is that it sends TCP RST in both directions, although I
> > couldn't come up with a direct quote to offer as proof (plenty of quotes
> > that state that as fact where TCP intercept is concerned, but not CBAC
> > specifically). A TCP FIN wouldn't be my first guess, as that's the means
> of
> > closing an *established* socket. What we're dealing with here is
> half-open
> > connections instead. So my vote is on a RST, but I'm not sure how to lab
> > this up. A means to generate a TCP SYN followed by nothing else would be
> > required. No doubt such a thing exists but I'm just not sure I have it
> > readily available on any of my existing lab gear. Anyone else?
> >
> >
> > On Sep 6, 2009, at 5:17 , Andy Reid wrote:
> >
> > Hi Ananatha,
> >>
> >> I have never noticed that part of the description before : "it notifies
> >> both parties that the connection has been terminated". I can only assume
> >> that it sends a FIN packet in both directions after the timeout occurs
> >> to fully close the connection, though I have not tested this specific
> >> function in my lab, i.e. CBAC sending TCP packets on behalf of hosts.
> >> Can anyone else confirm or otherwise explain the action of "ip inspect
> >> tcp synwait-time".
> >>
> >> Thanks, Andy
> >>
> >> Anantha Subramanian Natarajan wrote:
> >>
> >>> Hi Andy,
> >>>
> >>> Thank you very much for the explanation.I am trying to understand
> >>> the below highlighted statement,how it notifies the parties that the
> >>> connection is terminated,is it by sending some signal (Some thing like
> >>> RST or ?) ....Kindly help me to understand
> >>>
> >>> "This command specifies how long the cisco IOS waits for a TCP session
> >>> to be established (to complete three-way handshake).The default is 30
> >>> seconds.If the three way handshake is not completed by end of this
> >>> timeout,Cisco IOS removes the entry from its state table and the
> >>> dynamic entry in the ACL(before FAB) and* it notifies both parties
> >>> that the connection has been terminated*"
> >>>
> >>> Thanks for the help
> >>>
> >>> Regards
> >>> Anantha Subramanian Natarajan
> >>>
> >>> On Sun, Sep 6, 2009 at 9:34 AM, Andy Reid <ccie_at_reid.it
> >>> <mailto:ccie_at_reid.it>> wrote:
> >>>
> >>> Hi Anantha,
> >>>
> >>> The command "ip inspect tcp finwait-time" is used when waiting for
> >>> the FIN packets (default is 5 seconds).
> >>>
> >>> The "ip inspect tcp synwait-time" is used to protect against half
> >>> open sessions (default is 30 seconds) where the session never
> >>> becomes fully established, and therefore FIN packets are never sent.
> >>>
> >>> regards Andy
> >>>
> >>> Anantha Subramanian Natarajan wrote:
> >>>
> >>> Hi All,
> >>>
> >>> I was going through CBAC and trying to understand the
> >>> different global
> >>> settings on the same.One of that was "ip inspect tcp
> >>> synwait-time".The way
> >>> in which understood was as stated below(Actually Just pasting the
> >>> statements)
> >>>
> >>>
> >>> "This command specifies how long the cisco IOS waits for a TCP
> >>> session to be
> >>> established (to complete three-way handshake).The default is
> >>> 30 seconds.If
> >>> the three way handshake is not completed by end of this
> >>> timeout,Cisco IOS
> >>> removes the entry from its state table and the dynamic entry
> >>> in the
> >>> ACL(before FAB) and it notifies both parties that the
> >>> connection has been
> >>> terminated"
> >>>
> >>> In the above I am trying to understood,what kind of
> >>> notification it provides
> >>> to both the parties when the timeout as reached ..Is it TCP
> >>> RST or something
> >>> different.
> >>>
> >>>
> >>>
> >>> Kindly let me know
> >>>
> >>>
> >>>
> >>> Thanks for the help
> >>>
> >>>
> >>>
> >>> Regards
> >>>
> >>> Anantha Subramanian Natarajan
> >>>
> >>>
> >>> Blogs and organic groups at http://www.ccie.net <
> http://www.ccie.net/>
> >>> <http://www.ccie.net/>
> >>>
> >>>
> >>> _______________________________________________________________________
> >>> Subscription information may be found at:
> >>> http://www.groupstudy.com/list/CCIELab.html
> >>>
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Sun Sep 06 2009 - 22:18:16 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:02 ART