Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

ACL- Cisco reflex is to Procurve what?

Tim Shephard
Occasional Visitor

ACL- Cisco reflex is to Procurve what?

We have replaced an end Cisco router with a Procurve 5406. One of the old functions on the cisco was an ACL that uses the reflex command. I'm not familiar with cisco, but I think that allows for connected traffic to traverse the ACL for connected sessions.

On the Procurve the best I could do was use:
Permit tcp any any established.

But that did not allow for all the different protocols of traffic. So I still have problems.

How do I duplicate the cisco reflex ACL command function on a Procurve?

Thanks
4 REPLIES
Mohammed Faiz
Honored Contributor

Re: ACL- Cisco reflex is to Procurve what?

You could try "permit ip any any established" and similarly for other protocols, e.g.

"permit gre any any"
Tim Shephard
Occasional Visitor

Re: ACL- Cisco reflex is to Procurve what?

I don't think there is a permit ip any any established. I thought I tried that. Which is why I had to go with permit tcp any any established and then permit udp any any. Thats the part I was worried about since there is not a permit udp any any established.

I know I must be missing something here.

Mohammed Faiz
Honored Contributor

Re: ACL- Cisco reflex is to Procurve what?

My mistake, I wasn't quite clear on how the 'established' parameter works.
It actually blocks the SYN packets for a TCP session whilst allowing other traffic. Obviously that only applies to TCP traffic.
Looking (briefly) at Cisco reflexive ACLs, there isn't an equivalent option on Procurves, that kind of thing is normally left for the (stateful) firewall to do!
A reflexive ACL dynamically creates ACL entries to allow traffic in the opposite direction for a new session.
Can you describe what you're trying to achieve with your ACL as I'm sure it would be possible to make up something that does the job?
Tim Shephard
Occasional Visitor

Re: ACL- Cisco reflex is to Procurve what?

We have networks A, B, and C.

B must be protected all outside networks. However, there are some hosts on network C that must access B. Also B needs to be able to use the resources of network A.

So on B i have created an out ACL

permit any C to host B
permit TCP any any established

This kept network B from getting the resources on network A. Actually I think it kept the responses from getting back to C.

So I changed the ACL to:

permit any C to host B
permit TCP any any established
permit UDP any any

This allows B to access A's resources and effectively protects C, but I think having to use the UDP any any leaves an unnecessary vulnerability.