topic ACL- Cisco reflex is to Procurve what? in Switches, Hubs, and Modems

ACL- Cisco reflex is to Procurve what?

Tim Shephard — Sun, 31 Oct 2010 21:24:55 GMT

We have replaced an end Cisco router with a Procurve 5406. One of the old functions on the cisco was an ACL that uses the reflex command. I'm not familiar with cisco, but I think that allows for connected traffic to traverse the ACL for connected sessions.

On the Procurve the best I could do was use:
Permit tcp any any established.

But that did not allow for all the different protocols of traffic. So I still have problems.

How do I duplicate the cisco reflex ACL command function on a Procurve?

Thanks

Re: ACL- Cisco reflex is to Procurve what?

Mohammed Faiz — Mon, 01 Nov 2010 08:38:47 GMT

You could try "permit ip any any established" and similarly for other protocols, e.g.

"permit gre any any"

Re: ACL- Cisco reflex is to Procurve what?

Tim Shephard — Tue, 02 Nov 2010 16:36:26 GMT

I don't think there is a permit ip any any established. I thought I tried that. Which is why I had to go with permit tcp any any established and then permit udp any any. Thats the part I was worried about since there is not a permit udp any any established.

I know I must be missing something here.

Re: ACL- Cisco reflex is to Procurve what?

Mohammed Faiz — Wed, 03 Nov 2010 09:49:18 GMT

My mistake, I wasn't quite clear on how the 'established' parameter works.
It actually blocks the SYN packets for a TCP session whilst allowing other traffic. Obviously that only applies to TCP traffic.
Looking (briefly) at Cisco reflexive ACLs, there isn't an equivalent option on Procurves, that kind of thing is normally left for the (stateful) firewall to do!
A reflexive ACL dynamically creates ACL entries to allow traffic in the opposite direction for a new session.
Can you describe what you're trying to achieve with your ACL as I'm sure it would be possible to make up something that does the job?

Re: ACL- Cisco reflex is to Procurve what?

Tim Shephard — Thu, 04 Nov 2010 02:54:41 GMT

We have networks A, B, and C.

B must be protected all outside networks. However, there are some hosts on network C that must access B. Also B needs to be able to use the resources of network A.

So on B i have created an out ACL

permit any C to host B
permit TCP any any established

This kept network B from getting the resources on network A. Actually I think it kept the responses from getting back to C.

So I changed the ACL to:

permit any C to host B
permit TCP any any established
permit UDP any any

This allows B to access A's resources and effectively protects C, but I think having to use the UDP any any leaves an unnecessary vulnerability.