Hi Andrew,
I am referring to Richard Deal book on the IOS firewall security for
CBAC and some other security related topics(It looks great from me but its
lot of information to go through for the lab(i guess we could make an
iligent guess what to read and not),again I may be totally wrong,obviously
would hear the expert comments,if they contradict so),in addition also
used IE workbook technology labs for the same.For shame,not yet fully read
the Doc CD, hopefully will do it soon to have a comment on it.
My gut feeling as you mentioned if it comes to lab ,refer the doc cd and all
should be good(obviously making sure,it didn't blocked any router originated
traffic like routing protocol/multicast traffic or anything it could
potentially block)
My real concern for this on the OEQ section.It seems there is not a boundary
what they could ask or what they feel that we should know.I feel as long as
we know what is the technology behind it should be fine but i am no way near
to it for saying it sure.So I have to think what question they could ask in
CBAC and other technologies
I hope,I answered your question and some how not confused you.
Thanks
Regards
Anantha Subramanian Natarajan
On Thu, Sep 10, 2009 at 10:59 AM, ALL From_NJ <all.from.nj_at_gmail.com> wrote:
> Anantha,
>
> What are your thoughts on this topic WRT the doc Cd? Is the doc CD easy to
> follow in your opinion?
>
> Also ... after going through this as you have, do you feel that you only
> have to lab this 1 or 2 times and then just reference the doc CD in case it
> comes up? Or ... do you feel this is something you need to do many times.
>
> I have not labbed this for at least two months now ... but used to
> configure this several years ago for many small businesses. Curious to hear
> your opinion,
>
> Andrew
>
>
>
>
> On Thu, Sep 10, 2009 at 11:47 AM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
>
>> OK, couldn't resist and checked that :)
>> Before FAB you see the dynamic ACL entries at the top of the ACL on the
>> returning interface. With FAB you see only manually configured entries. In
>> this case, the router uses the state table to allow returing traffic and the
>> ACL to filter traffic which has no entries in the state table.
>> Thus, with FAB you need to examine CBAC state table (#ip inspect session)
>> to see if it works.
>> However, my previous statement is true and FAB cannot be disabled.
>>
>> --
>> Piotr Matusiak
>> CCIE #19860 (R&S, SEC)
>>
>>
>>
>>> Hi All,
>>>
>>> B I was going through CBAC and understood(assuming if I rightly
>>>
>>> understood) there are differences in the way router looks/inspects the
>>> returning traffic.The way in which I understood is,
>>>
>>> 1) Without FAB(Firewall ACL Bypass),when CBAC is implemented,there would
>>> be
>>> Dynamically created ACL entries at the top lines of the ACL in the
>>> inbound
>>> ACL applied to the external interface based on the state table(show ip
>>> inspect sessions) .This will allow returning traffic comming from the
>>> outside(external) which were previous originated and inspected by CBAC
>>> from
>>> inside
>>>
>>> 2) With FAB,CBAC will not create a dynamic ACL and just inspects the
>>> state
>>> table to allow the returning traffic.
>>>
>>> Is my above understanding is right .If so,my questions are
>>>
>>> 1) How to verify whether the CBAC in that particular router platform is
>>> done
>>> with FAB or not ..Like by show commands ...I was thinking to see,by doing
>>> show ip access-list,if the entries are dynamically created ,then it is
>>> without FAB or the otherway ...Is that right way to verify
>>>
>>> 2) In terms of OEQ,if a question is put explain CBAC operation,I am at
>>> this
>>> moment thinking of to explain both the above assuming I didn't hear
>>> something wrong about those from you all
>>>
>>> Kindly let know your comments and corrections.
>>>
>>> Thanks for the great help
>>>
>>> Regards
>>> Anantha Subramnanian Natarajan
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net
Received on Thu Sep 10 2009 - 12:22:47 ART
This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART