Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Reflexive Access Lists

Hi,

This is a general question on your experiences with RACLs at the network edge.

How does this affect router resources in general?

Any particular issue when run on eBGP peer devices?

Thank you for sharing your experiences.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Reflexive Access Lists

Use CBAC instead, this will help with such applications as passive ftp.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Both RACL and CBAC have performance hits. How much depends on your platform, size of ACL, amount of traffic, etc.

Hope that helps.

6 REPLIES
New Member

Re: Reflexive Access Lists

Will have problems accessing passive FTP services, right?

Re: Reflexive Access Lists

Use CBAC instead, this will help with such applications as passive ftp.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

Both RACL and CBAC have performance hits. How much depends on your platform, size of ACL, amount of traffic, etc.

Hope that helps.

New Member

Re: Reflexive Access Lists

Thanks Colin,

Indeed there will be performance hits especially if CBAC(with inspection) is used on an edge router running BGP, etc.

So for first level filtering TACL/RACL would be good enough according to my understanding.

For Passive FTP, I think a normal entry would be required in addition to reflexive ACLs

e.g.

permit tcp x.x.x.x y.y.y.y any eq ftp ftp-data reflect

permit tcp x.x.x.x y.y.y.y any gt 1024 established

Any comments please?

Re: Reflexive Access Lists

Looks good.

New Member

Re: Reflexive Access Lists

My other observation is the need of a special IOS image for CBAC support.

For instance, I have a spservices image with no CBAC.

Re: Reflexive Access Lists

That is correct, you need Advanced Security for CBAC and possibly more DRAM/Flash to support that IOS.

145
Views
0
Helpful
6
Replies