Home
Certification Preparation
Cisco
CCIE
Reflexive ACL Question
alan2308
I'm coming to the big boys with this one, more of just a mental exercise right now, but a possibility for something we're considering. Let's say I have two routers, each one pointed at a different ISP and with a reflexive access list applied to the ISP connected interface. Is there a way to synchronize the state table of the access lists between the two routers? In other words, is there a way to configure it where if traffic goes out one router and comes back in the second router, it doesn't get dropped?
Find more posts tagged with
Comments
EMcCaleb
The short answer is no. Asymmetrical routing is the bain of many a security architecture.
alan2308
Thanks, I didn't think it was possible but it was worth a shot.
wintermute000
Does uRPF Make Sense in Internet Service Provider Networks? « ipSpace.net by @ioshints
uRPF != reflexive ACL but the logic is similar for what you're trying to do
If you cannot have asymmetric routing for whatever reason (re: internet edge topologies, there isn't a great reason to NOT do it esp. in BGP full tables scenario) then you will have to make your BGP pure active/passive, forget load sharing or using the optimum ISP path.
Even if you choose to try to go pure active/passive you may have issues with resources locally hosted with your passive ISP, who will likely see your ISP link as preferred regardless of how you manipulate your PA, so you'll have to use other tricks like conditional advertisement etc.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
