Reflexive ACL Question
I'm coming to the big boys with this one, more of just a mental exercise right now, but a possibility for something we're considering. Let's say I have two routers, each one pointed at a different ISP and with a reflexive access list applied to the ISP connected interface. Is there a way to synchronize the state table of the access lists between the two routers? In other words, is there a way to configure it where if traffic goes out one router and comes back in the second router, it doesn't get dropped?
Comments
-
EMcCaleb
Member Posts: 63 ■■■□□□□□□□
The short answer is no. Asymmetrical routing is the bain of many a security architecture. -
alan2308
Member Posts: 1,854 ■■■■■■■■□□
Thanks, I didn't think it was possible but it was worth a shot. -
wintermute000
Banned Posts: 172
Does uRPF Make Sense in Internet Service Provider Networks? « ipSpace.net by @ioshints
uRPF != reflexive ACL but the logic is similar for what you're trying to do
If you cannot have asymmetric routing for whatever reason (re: internet edge topologies, there isn't a great reason to NOT do it esp. in BGP full tables scenario) then you will have to make your BGP pure active/passive, forget load sharing or using the optimum ISP path.
Even if you choose to try to go pure active/passive you may have issues with resources locally hosted with your passive ISP, who will likely see your ISP link as preferred regardless of how you manipulate your PA, so you'll have to use other tricks like conditional advertisement etc.