ACL: Reflective versus established

Discussion in 'Cisco' started by JF Mezei, Jan 24, 2010.

  1. JF Mezei

    JF Mezei Guest

    I've managed to get reflective ACL working. However, it adds ACL rules
    at the end of the ACL. Lots of rules when the LAN side machine makes a
    lot of connections to the outside world.

    It creates a lot of redundant entries at the bottom such as :

    permit tcp host 190.10.0.111 eq 52140 host 64.235.219.134 eq 6881

    even though the acl already contains a :
    permit tcp any any eq 6881


    From a performance point of you, is it better to use the "established"
    mechanism for tcp and use reflective only for udp ? This would greatly
    reduce the number of dynamic entries in the ACL.


    for instance:

    ip access-list extended ACLinbound
    evaluate Reflect_outbound
    permit tcp any any established
    permit tcp any 10.0.0.0 0.0.255.255 eq www
    deny tcp any any eq 445


    ip access-list extended ACLoutbound
    permit tcp any any
    permit udp any any reflect Reflect_outbound


    For tcp, does the reflective mechanism provide any additional
    functionality that the "established" mechanism doesn't ?
     
    JF Mezei, Jan 24, 2010
    #1
    1. Advertising

  2. JF Mezei

    Rob Guest

    JF Mezei <> wrote:
    > I've managed to get reflective ACL working. However, it adds ACL rules
    > at the end of the ACL. Lots of rules when the LAN side machine makes a
    > lot of connections to the outside world.
    >
    > It creates a lot of redundant entries at the bottom such as :
    >
    > permit tcp host 190.10.0.111 eq 52140 host 64.235.219.134 eq 6881
    >
    > even though the acl already contains a :
    > permit tcp any any eq 6881
    >
    >
    > From a performance point of you, is it better to use the "established"
    > mechanism for tcp and use reflective only for udp ? This would greatly
    > reduce the number of dynamic entries in the ACL.


    That is what I did. If it is much better, I don't know. At least
    it looks much more tidy.

    Some purists will argue that "established" is a leak because it permits
    traffic like RST or SYN ACK packets to a nonexisting connection, but I
    don't see it as a real problem.
     
    Rob, Jan 24, 2010
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rob Nicholson
    Replies:
    2
    Views:
    628
    Rob Nicholson
    Nov 29, 2005
  2. Tarek Hamdy
    Replies:
    7
    Views:
    2,937
    Tarek Hamdy
    Sep 16, 2004
  3. Gordon Montgomery

    Reflective ACL

    Gordon Montgomery, Jun 21, 2005, in forum: Cisco
    Replies:
    4
    Views:
    3,994
    Gordon Montgomery
    Jun 23, 2005
  4. Bucky

    where to buy non reflective glass?

    Bucky, Aug 26, 2005, in forum: Digital Photography
    Replies:
    33
    Views:
    1,300
    Dan Wojciechowski
    Aug 31, 2005
  5. Peter Potamus the Purple Hippo

    Re: Mozilla versus IE versus Opera versus Safari

    Peter Potamus the Purple Hippo, May 8, 2008, in forum: Firefox
    Replies:
    0
    Views:
    765
    Peter Potamus the Purple Hippo
    May 8, 2008
Loading...

Share This Page