Hi Kabir,
Just to add a little to Karim's excellent explanation:
1. With Reflexive ACLs, you would need to configure 2 ACLs on the interface
(in and out). The OUT would track what goes out (from the trusted towards
the untrusted) interface, and punch a hole dynamically on the IN ACL. This
"hole" would be temporary (cleared after the timeout period).
2.. Reflexive ACLs are not stateful. Which means they would only tract
traffic based on the pre-defined rule (IP address, port numbers, etc) and
make forwarding decision based on that alone.
3. If the situation at hand requires you to allow trafic based on state
information, then a stateful technology like CBAC/ZBF would do the job
nicely for you. These technologies would track more than just the
source/destination IP/port_numbers in making forwarding decisions. They
would also keep session id (possibly sequence numbers?) to make forwarding
decisions. I cant remember what exactly is checked by a stateful technology
so this is one to lookup I would say.
Hope that helps a little.
Sadiq
On Sat, Mar 6, 2010 at 9:20 AM, karim jamali <karim.jamali_at_gmail.com> wrote:
> Hi,
>
> Well usually the concepts comes from the following facts:
> 1. You usually want to allow traffic coming from within your network to the
> outside.
> 2. You want to deny all traffic from the outside coming in.
> However, you still want to allow the traffic from outside which is a mirror
> for the inside-->outside traffic which you already permitted. For instance,
> when surfing the web, the user requests a web page from a particular web
> server and he receives the reply from the web server.
>
> This link might be useful.
>
> http://www.packetlife.net/blog/2008/nov/25/reflexive-access-lists/
>
> Note that the improved version of relfexive ACL is CBAC.
>
> Best Regards,
>
> Karim Jmali
> On Sat, Mar 6, 2010 at 12:04 PM, <kebramccie_at_gmail.com> wrote:
>
> > Hello guys,
> >
> > I am having trouble nailing down reflexive access lists. Can someone
> please
> > help me explain stuff better.
> >
> > Thank you,
> >
> > Kabir
> > Sent from my BlackBerry wireless device from MTN
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- CCIE #19963 Blogs and organic groups at http://www.ccie.netReceived on Sat Mar 06 2010 - 12:56:30 ART
This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:34 ART