Cisco Ios Firewall Guidelines And Restrictions - Cisco 7604 Configuration Manual
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Cisco IOS Firewall Guidelines and Restrictions
The following features are supported with and without the use of a Cisco IOS firewall image:
•
•
•
•
•
•
•
•
•
Note
Cisco 7600 series routers support the Intrusion Detection System Module (IDSM) (WS-X6381-IDS).
Cisco 7600 series routers do not support the Cisco IOS firewall IDS feature, which is configured with
the ip audit command.
Cisco IOS Firewall Guidelines and Restrictions
When configuring the Cisco IOS firewall features, follow these guidelines and restrictions:
•
•
•
•
•
•
•
•
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
44-2
http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html
Standard access lists and static extended access lists
Lock-and-key (dynamic access lists)
IP session filtering (reflexive access lists)
TCP intercept
Security server support
Network address translation
Neighbor router authentication
Event logging
User authentication and authorization
On other platforms, if you enter the ip inspect command on a port, CBAC modifies ACLs on other
ports to permit the inspected traffic to flow through the network device. On Cisco 7600 series
routers, you must enter the mls ip inspect command to permit traffic through any ACLs that would
deny the traffic through other ports. Refer to the
page 44-3
for more information.
Reflexive ACLs and CBAC have conflicting flow mask requirements. Reflexive ACLs are processed
in software on the MSFC.
CBAC is incompatible with VACLs. You can configure CBAC and VACLs on the router but not in
the same subnet (VLAN).
Note
The Intrusion Detection System Module (IDSM) uses VACLs to select traffic. To use the
IDSM in a subnet where CBAC is configured, enter the mls ip ids acl_name interface
command, where acl_name is configured to select traffic for the IDSM.
To inspect Microsoft NetMeeting (2.0 or greater) traffic, turn on both h323 and tcp inspection.
To inspect web traffic, turn on tcp inspection. To avoid reduced performance, do not turn on http
inspection to block Java.
QoS and CBAC do not interact or interfere with each other.
You can configure CBAC on physical ports configured as Layer 3 interfaces and on VLAN
interfaces.
You cannot configure VACLs and CBAC on the same interface.
Chapter 44
Configuring the Cisco IOS Firewall Feature Set
"Additional CBAC Configuration" section on
OL-4266-08
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
