Chapter 23 Configuring Network Security
Configuring the Cisco IOS Firewall Feature Set
Note Cisco 7600 series routers support the Intrusion Detection System Module (IDSM)
Firewall Configuration Guidelines and Restrictions
Follow these guidelines and restrictions when configuring the Cisco IOS firewall features:
Restrictions
•On other platforms, if you enter the ip inspect command on a port, CBAC modifies ACLs on other ports to permit the inspected traffic to flow through the network device. On Cisco 7600 series routers, you must enter the mls ip inspect commands to permit traffic through any ACLs that would deny the traffic through other ports. See the “Configuring CBAC on Cisco 7600 Series Routers” section on page
•With Supervisor Engine 2 and PFC2, reflexive ACLs and CBAC have conflicting flow mask requirements. When you configure CBAC on a switch with Supervisor Engine 2 and PFC2, reflexive ACLs are processed in software on the MSFC2.
•CBAC is incompatible with VACLs. You can configure both CBAC and VACLs on the switch but not in the same subnet (VLAN) or on the same interface.
Note The Intrusion Detection System Module (IDSM) uses VACLs to select traffic. To use the IDSM in a subnet where CBAC is configured, enter the mls ip ids acl_name interface command, where acl_name is configured to select traffic for the IDSM.
Guidelines
•To inspect Microsoft NetMeeting (2.0 or greater) traffic, turn on both h323 and tcp inspection.
•To inspect web traffic, turn on tcp inspection. To avoid reduced performance, do not turn on http inspection to block Java.
•You can configure CBAC on physical ports configured as Layer 3 interfaces and on VLAN interfaces.
•QoS and CBAC do not interact or interfere with each other.
Configuring CBAC on Cisco 7600 Series Routers
You need to do additional CBAC configuration on the Cisco 7600 series routers. On a network device other than a Cisco 7600 series router, when ports are configured to deny traffic, CBAC permits traffic to flow bidirectionally through the port if it is configured with the ip inspect command. The same behavior applies to any other port that the traffic needs to go through, as shown in this example:
|
|
| Router(config)# ip | inspect name permit_ftp ftp | |
|
|
| Router(config)# interface vlan 100 | ||
|
|
| ip inspect permit_ftp in | ||
|
|
| ip | ||
|
|
| ip | ||
|
|
| Cisco 7600 Series Router Cisco IOS Software Configuration | ||
|
|
| |||
|
|
|
|
|
|
|
|
|
|
| |
|
|
|
|