Catalyst 3750 & established sessions

[gmail2]

Hi all

We currently have a 3750 which we're using as a router /layer 3 switch. We're considering adding some access lists to the device, based on source and destination IP and also based on protocol/service.

In a traditional firewall, if I allow TCP 80 from 192.168.1.0/24 to 192.168.200.200/32 I only have to allow port 80 one way, I don't have to allow the response back in the opposite direction from 192.168.200.200 to 192.168.1.x for all ports over 1024. Because the firewall records the session in it's session table and knows that it's in response to an earlier packet

If I do the same thing on the 3750, would I have to allow the response back to the client also ? Or would the 3750 also know that this is for an established session and therefore allow the packet.

According to the link below (sorry, you might need an EE account to view the replies) the 3750 is not stateful, and therefore I WOULD have to create another access list to allow the response back from the host to the clients

http://www.experts-exchange.com/Hardware/Networking_Hardware/Firewalls/Q_24499714.html

Am I making any sense here ? Any response would be greatly appreciated



Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau

 

[unclerico]

look into reflexive ACL's

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[vipergg]

If you do not specify an acl "out" to the subnet then everything is allowed back in . You put in a "in" acl from the client to another address he will only be able to get to that address but you do not need to put an "out" acl as everything is allowed back in unless you put an "out" acl blocking things.