From: Jason Madsen (madsen.jason@gmail.com)
Date: Thu Jan 29 2009 - 14:12:00 ARST
Hi Gaurav,
There is no implicit deny with CBAC so to speak. You'll still need an ACL
to do your denies. When a CBAC entry "hit" by your trusted traffic, a
permit will be added to your FIB allowing that specific traffic back
regardless of what denies you may have in an ACL. Hope that made sense.
Jason
On Thu, Jan 29, 2009 at 9:05 AM, GAURAV MADAN <gauravmadan1177@gmail.com>wrote:
> Hi Friends
>
> CBAC is one gray area that i dont undertsnd at all.. please help me in
> poiintg whre am i wrong
>
>
> R5 192.10.1.5 f0/0.52============= 192.10.1.254BB
>
> I want traffic from outside to come in my network if and only if initiated
> from inside my network.
>
> first i configured :
>
> ip inspect name CBAC udp
>
> int f0/0.52
> ip inspect CBAC out
>
> i expect that all my tcp sessions to BB (like BGP ) will fail .. also i
> expect ping to BB will fail etc etc (because i have permitted only udp)..
> rest policies i will appply later . But here only my understainding is
> failing . I am able to pin BB , tcp sessions are UP
>
> Also please clearify about the direction of this
>
> Thnx in advace
> Gaurav Madan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST