GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: CBAC query posted 11/24/2008
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Whoa, Jason, this goes directly into my notes once I verify it in the lab.
This is great. Thanks!

On Sun, Nov 23, 2008 at 6:00 PM, Jason Madsen <madsen.jason@xxxxxxxxx>wrote:

> Local router traffic can be matched with CBAC using the inspect
> "router-traffic" option.
>
> Jason
>
> On Sun, Nov 23, 2008 at 9:23 AM, Reza Toghraee <reza@xxxxxxxxxxxx> wrote:
>
> > Gaurav,
> >
> > Hope this from my notes help you to make CBAC get clicked in your mind.
> >
> > Reflexive ACL, CBAC both can be used to turn the router into a stateful
> > firewall. A stateful firewall means that when traffic leaves the network,
> > it
> > is noted in a STATE-TABLE. when traffic tries to come back into network
> it
> > is only allowed in if there is a previously created entry in the state
> > table.
> >
> > for both of these methods, the ROUETR LOCAL TRAFFIC can not be matched.
> you
> > need to do a PBR to a Loobback interface.
> >
> > What CBAC can do: Traffic Inspection, SYN flood block, Alerts, Audit,
> > Intrusion Prevention FOR PROTOCOL WHOCH IT KNOWS.
> > CBAC creates temporary entries in ACLs (in oposit direction of packet)
> > automatically and hidden
> >
> > Q: Configure R5 to only allow traffic in Ethernet connection if it has
> been
> > originated from inside use CBAC to do this. for connectivity testing
> > purposes ensure that R5 can ping BB2.
> >
> >
> > R5
> >
> > ip inspect name CBAC tcp
> > ip inspect name CBAC udp
> > ip inspect name CBAC icmp
> > !
> > ip access-list extended INBOUND
> >  permit icmp any host 192.10.1.5 echo-reply
> >  permit tcp any any eq bgp
> >  permit tcp any eq bgp any
> > !
> > interface ethernet 0/0
> >  ip address 192.10.1.5 255.255.255.0
> >  ip access-group INBOUND in
> >  ip inspect CBAC out
> > !
> >
> >
> > notes:  the inboud ACL is designed to match the router originated
> traffic.
> >        CBAC applied outbound, effects inbound traffic, automatically
> > creates enties in INBOUND ACL.
> >
> >
> > Regards
> > Reza Toghraee
> >
> >
> >
> > -----Original Message-----
> > From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
> > GAURAV MADAN
> > Sent: Sunday, November 23, 2008 6:46 PM
> > To: ccie forum
> > Subject: CBAC query
> >
> > Hi Group
> >
> > I am really confused ; trying to figure out how CBAC functions and how is
> > it
> > different from reflexive ACLs.
> > Here is what I am trying
> >
> > ip inspect name TEST tcp
> > ip inspect name TEST udp
> > ip inspect name TEST icmp
> >
> >                 R1---f0/1---------------------------R4
> >                 |f0/0
> >                 |
> > ====================
> > |                                      |
> > R2                                 R3
> >
> > If I apply "ip inspect TEST in " on f0/0 of R1 .. what purpose it serves?
> > Does it inspect tcp , udp and icmp traffic coming in f0/0 and this is
> only
> > traffic allowed to come to inside network via f0/1
> > I mean if I want TCP , UDP and ICMP traffic initiated from inside network
> > to
> > access outside network ; what will be CBAC way of doing this and how to
> > test
> > this ?
> >
> > Is there a good writeup on same .. DOC cd is not very helpful in this
> >
> > Gaurav Madan
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>


-- 
Pavel Bykov
----------------
Don't forget to help stopping the braindumps, use of which reduces value of
your certifications. Sign the petition at http://www.stopbraindumps.com/