HPE Community
Switches, Hubs, and Modems
1753964 Members
7560 Online
108811 Solutions
New Discussion юеВ

Re: ACL- Cisco reflex is to Procurve what?

 
Tim Shephard
New Member

тАО10-31-2010 02:24 PM

тАО10-31-2010 02:24 PM

ACL- Cisco reflex is to Procurve what?

We have replaced an end Cisco router with a Procurve 5406. One of the old functions on the cisco was an ACL that uses the reflex command. I'm not familiar with cisco, but I think that allows for connected traffic to traverse the ACL for connected sessions.

On the Procurve the best I could do was use:
Permit tcp any any established.

But that did not allow for all the different protocols of traffic. So I still have problems.

How do I duplicate the cisco reflex ACL command function on a Procurve?

Thanks
0 Kudos
4 REPLIES 4
Mohammed Faiz
Honored Contributor

тАО11-01-2010 01:38 AM

тАО11-01-2010 01:38 AM

Re: ACL- Cisco reflex is to Procurve what?

You could try "permit ip any any established" and similarly for other protocols, e.g.

"permit gre any any"
0 Kudos
Tim Shephard
New Member

тАО11-02-2010 09:36 AM

тАО11-02-2010 09:36 AM

Re: ACL- Cisco reflex is to Procurve what?

I don't think there is a permit ip any any established. I thought I tried that. Which is why I had to go with permit tcp any any established and then permit udp any any. Thats the part I was worried about since there is not a permit udp any any established.

I know I must be missing something here.

0 Kudos
Mohammed Faiz
Honored Contributor

тАО11-03-2010 02:49 AM

тАО11-03-2010 02:49 AM

Re: ACL- Cisco reflex is to Procurve what?

My mistake, I wasn't quite clear on how the 'established' parameter works.
It actually blocks the SYN packets for a TCP session whilst allowing other traffic. Obviously that only applies to TCP traffic.
Looking (briefly) at Cisco reflexive ACLs, there isn't an equivalent option on Procurves, that kind of thing is normally left for the (stateful) firewall to do!
A reflexive ACL dynamically creates ACL entries to allow traffic in the opposite direction for a new session.
Can you describe what you're trying to achieve with your ACL as I'm sure it would be possible to make up something that does the job?
0 Kudos
Tim Shephard
New Member

тАО11-03-2010 07:54 PM

тАО11-03-2010 07:54 PM

Re: ACL- Cisco reflex is to Procurve what?

We have networks A, B, and C.

B must be protected all outside networks. However, there are some hosts on network C that must access B. Also B needs to be able to use the resources of network A.

So on B i have created an out ACL

permit any C to host B
permit TCP any any established

This kept network B from getting the resources on network A. Actually I think it kept the responses from getting back to C.

So I changed the ACL to:

permit any C to host B
permit TCP any any established
permit UDP any any

This allows B to access A's resources and effectively protects C, but I think having to use the UDP any any leaves an unnecessary vulnerability.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.