Hi Piotr Matusiak,
Awesome and thanks for the help.
This may be a bad question but lingering in my mind,If there is a question
related to CBAC on open ended questions,and that question indirectly make
you to answer how CBAC works on Cisco IOS router,In that case,do I have to
mention about CBAC operation with and without FAB.
Thank you for the help
Regards
Anantha Subramanian Natarajan
On Thu, Sep 10, 2009 at 10:47 AM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
> OK, couldn't resist and checked that :)
> Before FAB you see the dynamic ACL entries at the top of the ACL on the
> returning interface. With FAB you see only manually configured entries. In
> this case, the router uses the state table to allow returing traffic and the
> ACL to filter traffic which has no entries in the state table.
> Thus, with FAB you need to examine CBAC state table (#ip inspect session)
> to see if it works.
> However, my previous statement is true and FAB cannot be disabled.
>
> --
> Piotr Matusiak
> CCIE #19860 (R&S, SEC)
>
>
>
>> Hi All,
>>
>> I was going through CBAC and understood(assuming if I rightly
>> understood) there are differences in the way router looks/inspects the
>> returning traffic.The way in which I understood is,
>>
>> 1) Without FAB(Firewall ACL Bypass),when CBAC is implemented,there would
>> be
>> Dynamically created ACL entries at the top lines of the ACL in the inbound
>> ACL applied to the external interface based on the state table(show ip
>> inspect sessions) .This will allow returning traffic comming from the
>> outside(external) which were previous originated and inspected by CBAC
>> from
>> inside
>>
>> 2) With FAB,CBAC will not create a dynamic ACL and just inspects the state
>> table to allow the returning traffic.
>>
>> Is my above understanding is right .If so,my questions are
>>
>> 1) How to verify whether the CBAC in that particular router platform is
>> done
>> with FAB or not ..Like by show commands ...I was thinking to see,by doing
>> show ip access-list,if the entries are dynamically created ,then it is
>> without FAB or the otherway ...Is that right way to verify
>>
>> 2) In terms of OEQ,if a question is put explain CBAC operation,I am at
>> this
>> moment thinking of to explain both the above assuming I didn't hear
>> something wrong about those from you all
>>
>> Kindly let know your comments and corrections.
>>
>> Thanks for the great help
>>
>> Regards
>> Anantha Subramnanian Natarajan
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Sep 10 2009 - 10:53:22 ART
This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART