Configuring Cbac On Catalyst 6500 Series Switches - Cisco 6500 Series Software Configuration Manual
Hide thumbs
Also See for 6500 Series:
- Configuration manual (392 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 23
Configuring Network Security
Configuring CBAC on Catalyst 6500 Series Switches
You need to do additional CBAC configuration on the Catalyst 6500 series switches. On a network
device other than a Catalyst 6500 series switch, when ports are configured to deny traffic, CBAC permits
traffic to flow bidirectionally through the port if it is configured with the ip inspect command. The same
behavior applies to any other port that the traffic needs to go through, as shown in this example:
Router(config)# ip inspect name permit_ftp ftp
Router(config)# interface vlan 100
Router(config-if)# ip inspect permit_ftp in
Router(config-if)# ip access-group deny_ftp_a in
Router(config-if)# ip access-group deny_ftp_b out
Router(config-if)# exit
Router(config)# interface vlan 200
Router(config-if)# ip access-group deny_ftp_c in
Router(config-if)# ip access-group deny_ftp_d out
Router(config-if)# exit
Router(config)# interface vlan 300
Router(config-if)# ip access-group deny_ftp_e in
Router(config-if)# ip access-group deny_ftp_f out
Router(config-if)# end
If the FTP session enters on VLAN 100 and needs to leave on VLAN 200, CBAC permits the FTP traffic
through ACLs deny_ftp_a, deny_ftp_b, deny_ftp_c, and deny_ftp_d. If another FTP session enters on
VLAN 100 and needs to leave on VLAN 300, CBAC permits the FTP traffic through ACLs deny_ftp_a,
deny_ftp_b, deny_ftp_e, and deny_ftp_f.
On a Catalyst 6500 series switch, when ports are configured to deny traffic, CBAC permits traffic to flow
bidirectionally only through the port configured with the ip inspect command. You must configure other
ports with the mls ip inspect command.
If the FTP session enters on VLAN 100 and needs to leave on VLAN 200, CBAC on a Catalyst 6500
series switch permits the FTP traffic only through ACLs deny_ftp_a and deny_ftp_b. To permit the
traffic through ACLs deny_ftp_c and deny_ftp_d, you must enter the mls ip inspect deny_ftp_c and mls
ip inspect deny_ftp_d commands, as shown in this example:
Router(config)# mls ip inspect deny_ftp_c
Router(config)# mls ip inspect deny_ftp_d
With the example configuration, FTP traffic cannot leave on VLAN 300 unless you enter the mls ip
inspect deny_ftp_e and mls ip inspect deny_ftp_f commands. Enter the show fm insp [detail]
command to verify the configuration.
The show fm insp [detail] command displays the list of ACLs and ports on which CBAC is configured
and the status (ACTIVE or INACTIVE), as shown in this example:
Router# show fm insp
On VLAN 305, inspection is active in the inbound direction and no ACL exists. ACL deny is applied on
VLAN 305 in the outbound direction and inspection is active.
To display all of the flow information, use the detail keyword.
If a VACL is configured on the port before configuring CBAC, the status displayed is INACTIVE;
otherwise, it is ACTIVE. If PFC resources are exhausted, the command displays the word "BRIDGE"
followed by the number of currently active NetFlow requests that failed, which have been sent to the
MSFC2 for processing.
78-14099-04
interface:Vlan305(in) status :ACTIVE
acl name:deny
interfaces:
Vlan305(out):status ACTIVE
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
Configuring the Cisco IOS Firewall Feature Set
23-7
Advertisement
Table of Contents
Troubleshooting
