ACL: Reflective versus established
in [Cisco]
|
Prev: CatOS router on a stick configuration
Next: WTB: Cisco ws-x6748ge-tx, ws-sup720-3bxl,ws-sup720-3b, ws-x6724-sfp, ws-x6704-10ge
From: JF Mezei on 24 Jan 2010 04:10 I've managed to get reflective ACL working. However, it adds ACL rules at the end of the ACL. Lots of rules when the LAN side machine makes a lot of connections to the outside world. It creates a lot of redundant entries at the bottom such as : permit tcp host 190.10.0.111 eq 52140 host 64.235.219.134 eq 6881 even though the acl already contains a : permit tcp any any eq 6881 From a performance point of you, is it better to use the "established" mechanism for tcp and use reflective only for udp ? This would greatly reduce the number of dynamic entries in the ACL. for instance: ip access-list extended ACLinbound evaluate Reflect_outbound permit tcp any any established permit tcp any 10.0.0.0 0.0.255.255 eq www deny tcp any any eq 445 ip access-list extended ACLoutbound permit tcp any any permit udp any any reflect Reflect_outbound For tcp, does the reflective mechanism provide any additional functionality that the "established" mechanism doesn't ?
From: Rob on 24 Jan 2010 07:45
JF Mezei <jfmezei.spamnot(a)vaxination.ca> wrote: > I've managed to get reflective ACL working. However, it adds ACL rules > at the end of the ACL. Lots of rules when the LAN side machine makes a > lot of connections to the outside world. > > It creates a lot of redundant entries at the bottom such as : > > permit tcp host 190.10.0.111 eq 52140 host 64.235.219.134 eq 6881 > > even though the acl already contains a : > permit tcp any any eq 6881 > > > From a performance point of you, is it better to use the "established" > mechanism for tcp and use reflective only for udp ? This would greatly > reduce the number of dynamic entries in the ACL. That is what I did. If it is much better, I don't know. At least it looks much more tidy. Some purists will argue that "established" is a leak because it permits traffic like RST or SYN ACK packets to a nonexisting connection, but I don't see it as a real problem. |