[unisog] Are cisco router VLAN ACL's stateful like a PIX?

Gary Dobbins dobbins at nd.edu
Tue Feb 1 17:20:12 GMT 2005

This supports a rule-of-thumb I've seen:

Use router ACLs only for very efficient and relatively few bulk-block types 
of filtering (such as upstream addr blocks of known-unwanteds)


use a purpose-built firewall device for stateful control.

PaulFM wrote:
> Carefully read the Manual on using reflexive rules.
> Reflexive rules actually create temporary reverse rules for each packet 
> they act on and will greatly increase the size of the access list the 
> router acts on (which could overload some routers).
> Ben Beuchler wrote:
>> On Mon, Jan 31, 2005 at 02:19:04PM -0700, Clyde Hoadley wrote:
>>> Are cisco router VLAN ACL's stateful the
>>> way the PIX firewall is stateful?
>> I'm not familiar with PIX configuration, but most Cisco devices support
>> "reflexive" access lists which work very similar to stateful firewall
>> rules on, say, an IPFW firewall.
>> -Ben


   Gary Dobbins, CISSP -- Director, Information Security
   University of Notre Dame, Office of Information Technologies
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3158 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20050201/1b5b3e2a/smime-0002.bin

More information about the unisog mailing list