Thanks.
Sounds good Anantha, would also be interesting to hear others opinions.
Have a great day Anantha
On Thu, Sep 10, 2009 at 1:22 PM, Anantha Subramanian Natarajan <
anantha.natarajan_at_gravitant.com> wrote:
> Hi Andrew,
>
> I am referring to Richard Deal book on the IOS firewall security for
> CBAC and some other security related topics(It looks great from me but its
> lot of information to go through for the lab(i guess we could make an
> iligent guess what to read and not),again I may be totally wrong,obviously
> would hear the expert comments,if they contradict so),in addition also
> used IE workbook technology labs for the same.For shame,not yet fully read
> the Doc CD, hopefully will do it soon to have a comment on it.
>
> My gut feeling as you mentioned if it comes to lab ,refer the doc cd and
> all should be good(obviously making sure,it didn't blocked any router
> originated traffic like routing protocol/multicast traffic or anything it
> could potentially block)
>
> My real concern for this on the OEQ section.It seems there is not a
> boundary what they could ask or what they feel that we should know.I feel as
> long as we know what is the technology behind it should be fine but i am no
> way near to it for saying it sure.So I have to think what question they
> could ask in CBAC and other technologies
>
> I hope,I answered your question and some how not confused you.
>
> Thanks
>
> Regards
> Anantha Subramanian Natarajan
>
> On Thu, Sep 10, 2009 at 10:59 AM, ALL From_NJ <all.from.nj_at_gmail.com>wrote:
>
>> Anantha,
>>
>> What are your thoughts on this topic WRT the doc Cd? Is the doc CD easy to
>> follow in your opinion?
>>
>> Also ... after going through this as you have, do you feel that you only
>> have to lab this 1 or 2 times and then just reference the doc CD in case it
>> comes up? Or ... do you feel this is something you need to do many times.
>>
>> I have not labbed this for at least two months now ... but used to
>> configure this several years ago for many small businesses. Curious to hear
>> your opinion,
>>
>> Andrew
>>
>>
>>
>>
>> On Thu, Sep 10, 2009 at 11:47 AM, Piotr Matusiak <piotr_at_ccie1.com>wrote:
>>
>>> OK, couldn't resist and checked that :)
>>> Before FAB you see the dynamic ACL entries at the top of the ACL on the
>>> returning interface. With FAB you see only manually configured entries. In
>>> this case, the router uses the state table to allow returing traffic and the
>>> ACL to filter traffic which has no entries in the state table.
>>> Thus, with FAB you need to examine CBAC state table (#ip inspect session)
>>> to see if it works.
>>> However, my previous statement is true and FAB cannot be disabled.
>>>
>>> --
>>> Piotr Matusiak
>>> CCIE #19860 (R&S, SEC)
>>>
>>>
>>>
>>>> Hi All,
>>>>
>>>> B I was going through CBAC and understood(assuming if I rightly
>>>>
>>>> understood) there are differences in the way router looks/inspects the
>>>> returning traffic.The way in which I understood is,
>>>>
>>>> 1) Without FAB(Firewall ACL Bypass),when CBAC is implemented,there would
>>>> be
>>>> Dynamically created ACL entries at the top lines of the ACL in the
>>>> inbound
>>>> ACL applied to the external interface based on the state table(show ip
>>>> inspect sessions) .This will allow returning traffic comming from the
>>>> outside(external) which were previous originated and inspected by CBAC
>>>> from
>>>> inside
>>>>
>>>> 2) With FAB,CBAC will not create a dynamic ACL and just inspects the
>>>> state
>>>> table to allow the returning traffic.
>>>>
>>>> Is my above understanding is right .If so,my questions are
>>>>
>>>> 1) How to verify whether the CBAC in that particular router platform is
>>>> done
>>>> with FAB or not ..Like by show commands ...I was thinking to see,by
>>>> doing
>>>> show ip access-list,if the entries are dynamically created ,then it is
>>>> without FAB or the otherway ...Is that right way to verify
>>>>
>>>> 2) In terms of OEQ,if a question is put explain CBAC operation,I am at
>>>> this
>>>> moment thinking of to explain both the above assuming I didn't hear
>>>> something wrong about those from you all
>>>>
>>>> Kindly let know your comments and corrections.
>>>>
>>>> Thanks for the great help
>>>>
>>>> Regards
>>>> Anantha Subramnanian Natarajan
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Andrew Lee Lissitz
>> all.from.nj_at_gmail.com
>>
>
>
-- Andrew Lee Lissitz all.from.nj_at_gmail.com Blogs and organic groups at http://www.ccie.netReceived on Thu Sep 10 2009 - 14:27:32 ART
This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART