08-01-2008 04:22 AM - edited 03-09-2019 09:12 PM
Hi,
This is a general question on your experiences with RACLs at the network edge.
How does this affect router resources in general?
Any particular issue when run on eBGP peer devices?
Thank you for sharing your experiences.
Solved! Go to Solution.
08-06-2008 07:02 AM
Use CBAC instead, this will help with such applications as passive ftp.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
Both RACL and CBAC have performance hits. How much depends on your platform, size of ACL, amount of traffic, etc.
Hope that helps.
08-06-2008 06:19 AM
Will have problems accessing passive FTP services, right?
08-06-2008 07:02 AM
Use CBAC instead, this will help with such applications as passive ftp.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
Both RACL and CBAC have performance hits. How much depends on your platform, size of ACL, amount of traffic, etc.
Hope that helps.
08-06-2008 07:15 AM
Thanks Colin,
Indeed there will be performance hits especially if CBAC(with inspection) is used on an edge router running BGP, etc.
So for first level filtering TACL/RACL would be good enough according to my understanding.
For Passive FTP, I think a normal entry would be required in addition to reflexive ACLs
e.g.
permit tcp x.x.x.x y.y.y.y any eq ftp ftp-data reflect
permit tcp x.x.x.x y.y.y.y any gt 1024 established
Any comments please?
08-06-2008 07:17 AM
Looks good.
08-06-2008 08:22 AM
My other observation is the need of a special IOS image for CBAC support.
For instance, I have a spservices image with no CBAC.
08-06-2008 08:24 AM
That is correct, you need Advanced Security for CBAC and possibly more DRAM/Flash to support that IOS.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: