Reflexive Access Lists

Answered Question
Aug 1st, 2008
User Badges:
  • Bronze, 100 points or more

Hi,


This is a general question on your experiences with RACLs at the network edge.


How does this affect router resources in general?


Any particular issue when run on eBGP peer devices?


Thank you for sharing your experiences.




Correct Answer by Collin Clark about 8 years 9 months ago

Use CBAC instead, this will help with such applications as passive ftp.


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml


Both RACL and CBAC have performance hits. How much depends on your platform, size of ACL, amount of traffic, etc.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rsgamage1 Wed, 08/06/2008 - 06:19
User Badges:
  • Bronze, 100 points or more

Will have problems accessing passive FTP services, right?

rsgamage1 Wed, 08/06/2008 - 07:15
User Badges:
  • Bronze, 100 points or more

Thanks Colin,


Indeed there will be performance hits especially if CBAC(with inspection) is used on an edge router running BGP, etc.


So for first level filtering TACL/RACL would be good enough according to my understanding.


For Passive FTP, I think a normal entry would be required in addition to reflexive ACLs


e.g.

permit tcp x.x.x.x y.y.y.y any eq ftp ftp-data reflect

permit tcp x.x.x.x y.y.y.y any gt 1024 established


Any comments please?

rsgamage1 Wed, 08/06/2008 - 08:22
User Badges:
  • Bronze, 100 points or more

My other observation is the need of a special IOS image for CBAC support.


For instance, I have a spservices image with no CBAC.

Collin Clark Wed, 08/06/2008 - 08:24
User Badges:
  • Purple, 4500 points or more

That is correct, you need Advanced Security for CBAC and possibly more DRAM/Flash to support that IOS.

Actions

This Discussion