Anantha,
What are your thoughts on this topic WRT the doc Cd? Is the doc CD easy to
follow in your opinion?
Also ... after going through this as you have, do you feel that you only
have to lab this 1 or 2 times and then just reference the doc CD in case it
comes up? Or ... do you feel this is something you need to do many times.
I have not labbed this for at least two months now ... but used to configure
this several years ago for many small businesses. Curious to hear your
opinion,
Andrew
On Thu, Sep 10, 2009 at 11:47 AM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
> OK, couldn't resist and checked that :)
> Before FAB you see the dynamic ACL entries at the top of the ACL on the
> returning interface. With FAB you see only manually configured entries. In
> this case, the router uses the state table to allow returing traffic and the
> ACL to filter traffic which has no entries in the state table.
> Thus, with FAB you need to examine CBAC state table (#ip inspect session)
> to see if it works.
> However, my previous statement is true and FAB cannot be disabled.
>
> --
> Piotr Matusiak
> CCIE #19860 (R&S, SEC)
>
>
>
>> Hi All,
>>
>> B I was going through CBAC and understood(assuming if I rightly
>>
>> understood) there are differences in the way router looks/inspects the
>> returning traffic.The way in which I understood is,
>>
>> 1) Without FAB(Firewall ACL Bypass),when CBAC is implemented,there would
>> be
>> Dynamically created ACL entries at the top lines of the ACL in the inbound
>> ACL applied to the external interface based on the state table(show ip
>> inspect sessions) .This will allow returning traffic comming from the
>> outside(external) which were previous originated and inspected by CBAC
>> from
>> inside
>>
>> 2) With FAB,CBAC will not create a dynamic ACL and just inspects the state
>> table to allow the returning traffic.
>>
>> Is my above understanding is right .If so,my questions are
>>
>> 1) How to verify whether the CBAC in that particular router platform is
>> done
>> with FAB or not ..Like by show commands ...I was thinking to see,by doing
>> show ip access-list,if the entries are dynamically created ,then it is
>> without FAB or the otherway ...Is that right way to verify
>>
>> 2) In terms of OEQ,if a question is put explain CBAC operation,I am at
>> this
>> moment thinking of to explain both the above assuming I didn't hear
>> something wrong about those from you all
>>
>> Kindly let know your comments and corrections.
>>
>> Thanks for the great help
>>
>> Regards
>> Anantha Subramnanian Natarajan
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- Andrew Lee Lissitz all.from.nj_at_gmail.com Blogs and organic groups at http://www.ccie.netReceived on Thu Sep 10 2009 - 11:59:03 ART
This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART