No problem Andrew and you too have a great day
Regards
Anantha Subramanian Natarajan
On Thu, Sep 10, 2009 at 1:27 PM, ALL From_NJ <all.from.nj_at_gmail.com> wrote:
> Thanks.
>
> Sounds good Anantha, would also be interesting to hear others opinions.
> Have a great day Anantha
>
>
>
>
> On Thu, Sep 10, 2009 at 1:22 PM, Anantha Subramanian Natarajan <
> anantha.natarajan_at_gravitant.com> wrote:
>
>> Hi Andrew,
>>
>> I am referring to Richard Deal book on the IOS firewall security for
>> CBAC and some other security related topics(It looks great from me but its
>> lot of information to go through for the lab(i guess we could make an
>> iligent guess what to read and not),again I may be totally wrong,obviously
>> would hear the expert comments,if they contradict so),in addition also
>> used IE workbook technology labs for the same.For shame,not yet fully read
>> the Doc CD, hopefully will do it soon to have a comment on it.
>>
>> My gut feeling as you mentioned if it comes to lab ,refer the doc cd and
>> all should be good(obviously making sure,it didn't blocked any router
>> originated traffic like routing protocol/multicast traffic or anything it
>> could potentially block)
>>
>> My real concern for this on the OEQ section.It seems there is not a
>> boundary what they could ask or what they feel that we should know.I feel as
>> long as we know what is the technology behind it should be fine but i am no
>> way near to it for saying it sure.So I have to think what question they
>> could ask in CBAC and other technologies
>>
>> I hope,I answered your question and some how not confused you.
>>
>> Thanks
>>
>> Regards
>> Anantha Subramanian Natarajan
>>
>> On Thu, Sep 10, 2009 at 10:59 AM, ALL From_NJ <all.from.nj_at_gmail.com>wrote:
>>
>>> Anantha,
>>>
>>> What are your thoughts on this topic WRT the doc Cd? Is the doc CD easy
>>> to follow in your opinion?
>>>
>>> Also ... after going through this as you have, do you feel that you only
>>> have to lab this 1 or 2 times and then just reference the doc CD in case it
>>> comes up? Or ... do you feel this is something you need to do many times.
>>>
>>> I have not labbed this for at least two months now ... but used to
>>> configure this several years ago for many small businesses. Curious to hear
>>> your opinion,
>>>
>>> Andrew
>>>
>>>
>>>
>>>
>>> On Thu, Sep 10, 2009 at 11:47 AM, Piotr Matusiak <piotr_at_ccie1.com>wrote:
>>>
>>>> OK, couldn't resist and checked that :)
>>>> Before FAB you see the dynamic ACL entries at the top of the ACL on the
>>>> returning interface. With FAB you see only manually configured entries. In
>>>> this case, the router uses the state table to allow returing traffic and the
>>>> ACL to filter traffic which has no entries in the state table.
>>>> Thus, with FAB you need to examine CBAC state table (#ip inspect
>>>> session) to see if it works.
>>>> However, my previous statement is true and FAB cannot be disabled.
>>>>
>>>> --
>>>> Piotr Matusiak
>>>> CCIE #19860 (R&S, SEC)
>>>>
>>>>
>>>>
>>>>> Hi All,
>>>>>
>>>>> B I was going through CBAC and understood(assuming if I rightly
>>>>>
>>>>> understood) there are differences in the way router looks/inspects the
>>>>> returning traffic.The way in which I understood is,
>>>>>
>>>>> 1) Without FAB(Firewall ACL Bypass),when CBAC is implemented,there
>>>>> would be
>>>>> Dynamically created ACL entries at the top lines of the ACL in the
>>>>> inbound
>>>>> ACL applied to the external interface based on the state table(show ip
>>>>> inspect sessions) .This will allow returning traffic comming from the
>>>>> outside(external) which were previous originated and inspected by CBAC
>>>>> from
>>>>> inside
>>>>>
>>>>> 2) With FAB,CBAC will not create a dynamic ACL and just inspects the
>>>>> state
>>>>> table to allow the returning traffic.
>>>>>
>>>>> Is my above understanding is right .If so,my questions are
>>>>>
>>>>> 1) How to verify whether the CBAC in that particular router platform is
>>>>> done
>>>>> with FAB or not ..Like by show commands ...I was thinking to see,by
>>>>> doing
>>>>> show ip access-list,if the entries are dynamically created ,then it is
>>>>> without FAB or the otherway ...Is that right way to verify
>>>>>
>>>>> 2) In terms of OEQ,if a question is put explain CBAC operation,I am at
>>>>> this
>>>>> moment thinking of to explain both the above assuming I didn't hear
>>>>> something wrong about those from you all
>>>>>
>>>>> Kindly let know your comments and corrections.
>>>>>
>>>>> Thanks for the great help
>>>>>
>>>>> Regards
>>>>> Anantha Subramnanian Natarajan
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Andrew Lee Lissitz
>>> all.from.nj_at_gmail.com
>>>
>>
>>
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
Blogs and organic groups at http://www.ccie.net
Received on Thu Sep 10 2009 - 20:12:01 ART
This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART