cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
441
Views
0
Helpful
6
Replies

Reflexive Access Lists

rsgamage1
Level 3
Level 3

Hi,

This is a general question on your experiences with RACLs at the network edge.

How does this affect router resources in general?

Any particular issue when run on eBGP peer devices?

Thank you for sharing your experiences.

1 Accepted Solution

Accepted Solutions

Use CBAC instead, this will help with such applications as passive ftp.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Both RACL and CBAC have performance hits. How much depends on your platform, size of ACL, amount of traffic, etc.

Hope that helps.

View solution in original post

6 Replies 6

rsgamage1
Level 3
Level 3

Will have problems accessing passive FTP services, right?

Use CBAC instead, this will help with such applications as passive ftp.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Both RACL and CBAC have performance hits. How much depends on your platform, size of ACL, amount of traffic, etc.

Hope that helps.

Thanks Colin,

Indeed there will be performance hits especially if CBAC(with inspection) is used on an edge router running BGP, etc.

So for first level filtering TACL/RACL would be good enough according to my understanding.

For Passive FTP, I think a normal entry would be required in addition to reflexive ACLs

e.g.

permit tcp x.x.x.x y.y.y.y any eq ftp ftp-data reflect

permit tcp x.x.x.x y.y.y.y any gt 1024 established

Any comments please?

Looks good.

My other observation is the need of a special IOS image for CBAC support.

For instance, I have a spservices image with no CBAC.

That is correct, you need Advanced Security for CBAC and possibly more DRAM/Flash to support that IOS.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: