[unisog] Are cisco router VLAN ACL's stateful like a PIX?

Gary Dobbins dobbins at nd.edu
Tue Feb 1 17:20:12 GMT 2005


This supports a rule-of-thumb I've seen:

Use router ACLs only for very efficient and relatively few bulk-block types 
of filtering (such as upstream addr blocks of known-unwanteds)

-and-

use a purpose-built firewall device for stateful control.



PaulFM wrote:
> Carefully read the Manual on using reflexive rules.
> 
> Reflexive rules actually create temporary reverse rules for each packet 
> they act on and will greatly increase the size of the access list the 
> router acts on (which could overload some routers).
> 
> 
> 
> Ben Beuchler wrote:
> 
>> On Mon, Jan 31, 2005 at 02:19:04PM -0700, Clyde Hoadley wrote:
>>
>>
>>> Are cisco router VLAN ACL's stateful the
>>> way the PIX firewall is stateful?
>>
>>
>>
>> I'm not familiar with PIX configuration, but most Cisco devices support
>> "reflexive" access lists which work very similar to stateful firewall
>> rules on, say, an IPFW firewall.
>>
>> -Ben
>>
> 

-- 

   ------------------------------------------------------------
   Gary Dobbins, CISSP -- Director, Information Security
   University of Notre Dame, Office of Information Technologies
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3158 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20050201/1b5b3e2a/smime-0002.bin


More information about the unisog mailing list