cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2826
Views
0
Helpful
1
Replies

CBAC vs. reflexive access-lists

b.carbery
Level 1
Level 1

It seems to me these features serve similar functions. Does CBAC essentially supercede reflexive access-lists due to the ability to recongnise application traffic such as FTP which RACL's cannot? Can the two coexist to allow RACLs to match applications the CBAC does not yet support?

1 Accepted Solution

Accepted Solutions

gfullage
Cisco Employee
Cisco Employee

Reflexive ACL's are very basic, they just look at outgoing traffic and allow the inverse to come back in. They don't know anything about particular protocols and don't look any further than the src/dest addresses and ports in the outgoing packet.

CBAC, on the other hand, turns your router into a true stateful firewall similar to the PIX. With CBAC incoming packets are allowed back in based on previous outgoing packets (similar to reflexive ACL's), but the incoming packets have to be part of an existing session. For example, CBAC checks the ACK/SEQ numbers in an incoming TCP packet to check that it's part of a known TCP session. If not, the packet is dropped. Additionally, CBAC is protocol-specific and will open up additional holes to allow certain types of traffic back in (for the FTP data channel, for example). Reflexive ACL's won't do this.

You can't use both at the same time. If there's a particular protocol that CBAC doesn't support, then CBAC will still open up a hole to allow the returning traffic as long as you have UDP and TCP inspection turned on. Additionally it still makes sure that the packets are part of an existing session. This is still more than reflexive ACL's will do for you, so if you can run CBAC then forget about reflexive ACL's.

View solution in original post

1 Reply 1

gfullage
Cisco Employee
Cisco Employee

Reflexive ACL's are very basic, they just look at outgoing traffic and allow the inverse to come back in. They don't know anything about particular protocols and don't look any further than the src/dest addresses and ports in the outgoing packet.

CBAC, on the other hand, turns your router into a true stateful firewall similar to the PIX. With CBAC incoming packets are allowed back in based on previous outgoing packets (similar to reflexive ACL's), but the incoming packets have to be part of an existing session. For example, CBAC checks the ACK/SEQ numbers in an incoming TCP packet to check that it's part of a known TCP session. If not, the packet is dropped. Additionally, CBAC is protocol-specific and will open up additional holes to allow certain types of traffic back in (for the FTP data channel, for example). Reflexive ACL's won't do this.

You can't use both at the same time. If there's a particular protocol that CBAC doesn't support, then CBAC will still open up a hole to allow the returning traffic as long as you have UDP and TCP inspection turned on. Additionally it still makes sure that the packets are part of an existing session. This is still more than reflexive ACL's will do for you, so if you can run CBAC then forget about reflexive ACL's.