Reflexive Access Lists

Answered Question
Aug 1st, 2008

Hi,

This is a general question on your experiences with RACLs at the network edge.

How does this affect router resources in general?

Any particular issue when run on eBGP peer devices?

Thank you for sharing your experiences.

I have this problem too.
0 votes
Correct Answer by Collin Clark about 8 years 5 months ago

Use CBAC instead, this will help with such applications as passive ftp.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Both RACL and CBAC have performance hits. How much depends on your platform, size of ACL, amount of traffic, etc.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rsgamage1 Wed, 08/06/2008 - 07:15

Thanks Colin,

Indeed there will be performance hits especially if CBAC(with inspection) is used on an edge router running BGP, etc.

So for first level filtering TACL/RACL would be good enough according to my understanding.

For Passive FTP, I think a normal entry would be required in addition to reflexive ACLs

e.g.

permit tcp x.x.x.x y.y.y.y any eq ftp ftp-data reflect

permit tcp x.x.x.x y.y.y.y any gt 1024 established

Any comments please?

rsgamage1 Wed, 08/06/2008 - 08:22

My other observation is the need of a special IOS image for CBAC support.

For instance, I have a spservices image with no CBAC.

Collin Clark Wed, 08/06/2008 - 08:24

That is correct, you need Advanced Security for CBAC and possibly more DRAM/Flash to support that IOS.

Actions

This Discussion