ACL: Reflective versus established|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||
|
Posted by JF Mezei on January 24, 2010, 4:10 am
Please log in for more thread options
I've managed to get reflective ACL working. However, it adds ACL rules at the end of the ACL. Lots of rules when the LAN side machine makes a lot of connections to the outside world. It creates a lot of redundant entries at the bottom such as : permit tcp host 190.10.0.111 eq 52140 host 64.235.219.134 eq 6881 even though the acl already contains a : permit tcp any any eq 6881 From a performance point of you, is it better to use the "established" mechanism for tcp and use reflective only for udp ? This would greatly reduce the number of dynamic entries in the ACL. for instance: ip access-list extended ACLinbound evaluate Reflect_outbound permit tcp any any established permit tcp any 10.0.0.0 0.0.255.255 eq www deny tcp any any eq 445 ip access-list extended ACLoutbound permit tcp any any permit udp any any reflect Reflect_outbound For tcp, does the reflective mechanism provide any additional functionality that the "established" mechanism doesn't ? | ||||||||||
|
Posted by Rob on January 24, 2010, 7:45 am
Please log in for more thread options That is what I did. If it is much better, I don't know. At least it looks much more tidy. Some purists will argue that "established" is a leak because it permits traffic like RST or SYN ACK packets to a nonexisting connection, but I don't see it as a real problem. | ||||||||||
| Similar Threads | Posted |
| ACL: Reflective versus established | January 24, 2010, 4:10 am |
| Reflective ACL | June 21, 2005, 5:17 pm |
| IP Inspect vs. established | March 12, 2009, 9:59 pm |
| ipsec tunnel established but no pinging | December 27, 2006, 5:09 pm |
| PIX Ipsec VPN - SA established, no traffic passes | May 3, 2007, 2:34 pm |
| NAT versus NO NAT | July 26, 2006, 10:51 pm |
| Pix 501 Versus ASA 5505 | December 22, 2007, 2:48 pm |
| Port forwarding versus 'permit' | August 31, 2005, 5:05 pm |
| Frame Relay EEK versus Traffic Shaping | October 31, 2005, 9:57 am |
| 15216-EDFA2 Versus EDFA From ONS 15501 | March 25, 2006, 2:58 am |
| Re: Cisco 350 ACU versus WinXP network config | March 10, 2005, 6:44 pm |
| Some one please help to find MACs versus Ports on Catalyst swicths | January 11, 2007, 5:46 pm |
| Cisco 15454 Versus Nortel OPTera 3500 for Ethernet | August 20, 2007, 1:04 am |
| Cisco Softphone Vlan Versus Preexisting Hardphone Voice Vlan | September 23, 2005, 7:43 am |
| DHCP relay agent versus Option 3; Routers Option | September 25, 2006, 10:20 am |
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
> at the end of the ACL. Lots of rules when the LAN side machine makes a
> lot of connections to the outside world.
>
> It creates a lot of redundant entries at the bottom such as :
>
> permit tcp host 190.10.0.111 eq 52140 host 64.235.219.134 eq 6881
>
> even though the acl already contains a :
> permit tcp any any eq 6881
>
>
> From a performance point of you, is it better to use the "established"
> mechanism for tcp and use reflective only for udp ? This would greatly
> reduce the number of dynamic entries in the ACL.