Re: Fwd: CBAC with/or without FAB from Piotr Matusiak on 2009-09-10 (Ccielab archives 09/2009)

From: Piotr Matusiak <piotr_at_ccie1.com>
Date: Thu, 10 Sep 2009 11:47:56 -0400

OK, couldn't resist and checked that :)
Before FAB you see the dynamic ACL entries at the top of the ACL on
the returning interface. With FAB you see only manually configured
entries. In this case, the router uses the state table to allow
returing traffic and the ACL to filter traffic which has no entries in
the state table.
Thus, with FAB you need to examine CBAC state table (#ip inspect
session) to see if it works.
However, my previous statement is true and FAB cannot be disabled.

--
Piotr Matusiak
CCIE #19860 (R&S, SEC)
>
> Hi All,
>
> B I was going through CBAC and understood(assuming if I rightly
> understood) there are differences in the way router looks/inspects the
> returning traffic.The way in which I understood is,
>
> 1) Without FAB(Firewall ACL Bypass),when CBAC is implemented,there would be
> Dynamically created ACL entries at the top lines of the ACL in the inbound
> ACL applied to the external interface based on the state table(show ip
> inspect sessions) .This will allow returning traffic comming from the
> outside(external) which were previous originated and inspected by CBAC from
> inside
>
> 2) With FAB,CBAC will not create a dynamic ACL and just inspects the state
> table to allow the returning traffic.
>
> Is my above understanding is right .If so,my questions are
>
> 1) How to verify whether the CBAC in that particular router platform is done
> with FAB or not ..Like by show commands ...I was thinking to see,by doing
> show ip access-list,if the entries are dynamically created ,then it is
> without FAB or the otherway ...Is that right way to verify
>
> 2) In terms of OEQ,if a question is put explain CBAC operation,I am at this
> moment thinking of to explain both the above assuming I didn't hear
> something wrong about those from you all
>
> Kindly let know your comments and corrections.
>
> Thanks for the great help
>
> Regards
> Anantha Subramnanian Natarajan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Thu Sep 10 2009 - 11:47:56 ART

This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART