Hello all,
I currently have an ACL in my 6500 that allows established TCP connections to come back into my network. Something like 'permit tcp any host 10.0.0.1 established'. Is it possible to do something similar with UDP? I need to allow a machine on my inside network to communicate with a time server over UDP port 123, but I don't see an 'established' option for UDP ACLs.
Thanks in advance!
-- Bryan
You might look at reflexive access lists. Beware ending up CPU switching the traffic though. I think they are supposed to be hardware switched but I seem to recall doubting that in some case or other. Switching comments apply to 6500.
The established method cannot be used on UDP since it uses the TCP flags. It blocks packets with SYN-set and ACK-not-set. This is only the case for the first packet in a TCP session so no sessions can be initiated through an "established" ACL.
I found thsi hard to get my head round the first time so:-
Reflexive means "the reflection of" so you get an inbound ACL entry automatically created when traffic matches the outbound ACL.
I don't know how granular the reflected ACL entries are but you can see them with
sh ip access-list ACL-to-internet-reflected
from the example below.
int gi 1/1 desc Internet link access-group ACL-to-internet out access-group ACL-to-internet-reflected in
access-l e ACL-to-internet permit ip any any reflect ACL-to-internet-reflected
access-l e ACL-to-internet-reflected deny ip any any ! probably optional but you can ! put what you want here
Reflexively created entries go in front of the static entries.
Above from memory so may not be exact.
Just noticed that I can't see a reason that the two access-group statement have to be on the same interface. I have always done so.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.