[unisog] Are cisco router VLAN ACL's stateful like a PIX?
cgaylord at cns.vt.edu
Tue Feb 1 12:14:16 GMT 2005
Julian Y. Koh wrote:
> At 18:25 -0500 01/31/2005, Ryan Dorman wrote:
>>ACL's are packet filters, they are not stateful and do not work with any
>>sort of session tracking IIRC.
> Note that you can use the incredibly cheesy "established" keyword in an ACL
> rule to get you a little bit closer to firewall functionality, but that's
> definitely not stateful.
Further note: turn on deeper inspection at your own risk! [if you like seeing your
CPU jump 20-50%, you can have all kinds of fun with SYN, EST, log, et al. ... if
you've got the headroom these can be useful, but be careful. but you know, you
really can't tell what's going on without a good "debug ip packet detail" anyway. :-)]
More information about the unisog