nanog mailing list archives
Re: Finding asymmetric path
From: Arie Vayner <arievayner () gmail com>
Date: Sun, 29 Nov 2009 10:17:18 +0200
Actually, this can be achieved easily using reflexive ACLs on any Cisco router, so no real need to change the topology or add new devices in the path: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#reflexacl Arie On Sat, Nov 28, 2009 at 10:26 PM, Duane Waddle <duane.waddle () gmail com>wrote:
On Sat, Nov 28, 2009 at 1:41 PM, Brielle Bruns <bruns () 2mbit com> wrote:My partner Tammy says a PIX could probably accomplish the same task (wehave some here for the corp lan stuff, including spares). Yes, a PIX/ASA would stop this cold. The TCP state tracking would not allow traffic to pass unless the whole 3-way handshake was observed by the box. Only recently did Cisco add features to make tracking the TCP connection state optional. ( http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpstatebypass.pdf ) The larger ASA-5580 machines can be virtualized into dozens (or more) security contexts as needed. I imagine it would take some effort to figure out how to cleanly integrate such a configuration into a POP. --D
Current thread:
- Re: Finding asymmetric path, (continued)
- Re: Finding asymmetric path Christopher Morrow (Nov 27)
- Re: Finding asymmetric path Joe Greco (Nov 28)
- Re: Finding asymmetric path Joe Provo (Nov 28)
- Re: Finding asymmetric path Joe Greco (Nov 28)
- Re: Finding asymmetric path ML (Nov 28)
- Re: Finding asymmetric path Brielle Bruns (Nov 28)
- Re: Finding asymmetric path Duane Waddle (Nov 28)
- Re: Finding asymmetric path Arie Vayner (Nov 29)