[unisog] Are cisco router VLAN ACL's stateful like a PIX?

Clark Gaylord cgaylord at cns.vt.edu
Tue Feb 1 12:14:16 GMT 2005


Julian Y. Koh wrote:
> At 18:25 -0500 01/31/2005, Ryan Dorman wrote:
>>ACL's are packet filters, they are not stateful and do not work with any
>>sort of session tracking IIRC.
> 
> Note that you can use the incredibly cheesy "established" keyword in an ACL
> rule to get you a little bit closer to firewall functionality, but that's
> definitely not stateful.

Further note: turn on deeper inspection at your own risk!  [if you like seeing your 
CPU jump 20-50%, you can have all kinds of fun with SYN, EST, log, et al. ... if 
you've got the headroom these can be useful, but be careful.  but you know, you 
really can't tell what's going on without a good "debug ip packet detail" anyway. :-)]

--ckg




More information about the unisog mailing list