[c-nsp] Reflexive ACLs or CBAC on 6500

bill fumerola billf at mu.org
Tue Jan 29 19:38:48 EST 2008


On Fri, Jan 25, 2008 at 12:19:20PM +0200, Tassos Chatzithomaoglou wrote:
> Has anyone real world experience of using these 2 features (Reflexive
> ACLs or CBAC) on 6500 with MSFC2 (SUP2) or MSFC3 (SUP720)?

depends on your environment.

if you can limit the traffic that that would trigger the reflexive acl
with acls on your edge or are only triggering the reflexive acl with
your own traffic, they can be used.

they should be used in corner cases.

for instance, i have two NTP servers on my network and use them to allow
the return traffic from outside NTP servers. the acl is specific to those
two servers and can only be triggered by ntp traffic from those servers.
for them to go haywire, my ntp servers would have to start sending ntp
traffic to many destinations.

that's the kind of corner case i would use them for on msfc platform.

beyond things like that, as Roland says, avoid them.

-- bill


More information about the cisco-nsp mailing list