Cisco Systems 7600 SERIES manual Firewall Configuration Guidelines and Restrictions, 23-6

Page 6

Chapter 23 Configuring Network Security

Configuring the Cisco IOS Firewall Feature Set

Note Cisco 7600 series routers support the Intrusion Detection System Module (IDSM) (WS-X6381-IDS). Cisco 7600 series routers do not support the Cisco IOS firewall IDS feature, which is configured with the ip audit command.

Firewall Configuration Guidelines and Restrictions

Follow these guidelines and restrictions when configuring the Cisco IOS firewall features:

Restrictions

On other platforms, if you enter the ip inspect command on a port, CBAC modifies ACLs on other ports to permit the inspected traffic to flow through the network device. On Cisco 7600 series routers, you must enter the mls ip inspect commands to permit traffic through any ACLs that would deny the traffic through other ports. See the “Configuring CBAC on Cisco 7600 Series Routers” section on page 23-6.

With Supervisor Engine 2 and PFC2, reflexive ACLs and CBAC have conflicting flow mask requirements. When you configure CBAC on a switch with Supervisor Engine 2 and PFC2, reflexive ACLs are processed in software on the MSFC2.

CBAC is incompatible with VACLs. You can configure both CBAC and VACLs on the switch but not in the same subnet (VLAN) or on the same interface.

Note The Intrusion Detection System Module (IDSM) uses VACLs to select traffic. To use the IDSM in a subnet where CBAC is configured, enter the mls ip ids acl_name interface command, where acl_name is configured to select traffic for the IDSM.

Guidelines

To inspect Microsoft NetMeeting (2.0 or greater) traffic, turn on both h323 and tcp inspection.

To inspect web traffic, turn on tcp inspection. To avoid reduced performance, do not turn on http inspection to block Java.

You can configure CBAC on physical ports configured as Layer 3 interfaces and on VLAN interfaces.

QoS and CBAC do not interact or interfere with each other.

Configuring CBAC on Cisco 7600 Series Routers

You need to do additional CBAC configuration on the Cisco 7600 series routers. On a network device other than a Cisco 7600 series router, when ports are configured to deny traffic, CBAC permits traffic to flow bidirectionally through the port if it is configured with the ip inspect command. The same behavior applies to any other port that the traffic needs to go through, as shown in this example:

 

 

 

Router(config)# ip

inspect name permit_ftp ftp

 

 

 

Router(config)# interface vlan 100

 

 

 

Router(config-if)#

ip inspect permit_ftp in

 

 

 

Router(config-if)#

ip access-group deny_ftp_a in

 

 

 

Router(config-if)#

ip access-group deny_ftp_b out

 

 

 

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

 

 

 

 

 

 

 

 

 

 

23-6

 

 

78-14064-04

 

 

 

 

 

Image 6
Contents ACL Configuration Guidelines This chapter consists of these sections23-1 Hardware and Software ACL Support 23-2Determining Layer 4 Operation Usage 23-3More detailed example follows Configuring the Cisco IOS Firewall Feature SetDetermining Logical Operation Unit Usage 23-4Cisco IOS Firewall Feature Set Support Overview 23-5Restrictions Firewall Configuration Guidelines and RestrictionsConfiguring Cbac on Cisco 7600 Series Routers GuidelinesConfiguring MAC Address-Based Traffic Blocking 23-7Vacl Overview Configuring Vlan ACLsUnderstanding VACLs 23-8Same interface VACLs and Cbac cannot be configured on the same interfaceBridged Packets Igmp packets are not checked against VACLsRouted Packets 23-10Multicast Packets Configuring VACLsThese sections describe configuring VACLs 23-11To define a Vlan access map, perform this task Vacl Configuration OverviewDefining a Vlan Access Map 23-12Deletes the match clause in a Vlan access map sequence Configuring a Match Clause in a Vlan Access Map SequenceConfigures the match clause in a Vlan access map sequence 23-13Configuring an Action Clause in a Vlan Access Map Sequence Applying a Vlan Access Map23-14 Verifying Vlan Access Map Configuration Vlan Access Map Configuration and Verification Examples23-15 Configuring a Capture Port 23-16Configuring Vacl Logging 23-17Configuring TCP Intercept 23-18Understanding Unicast RPF Support Configuring Unicast Reverse Path ForwardingConfiguring Unicast RPF Enabling Self-PingingConfiguring the Unicast RPF Checking Mode 23-20Configuring Unicast Flood Protection This example shows how to verify the configuration23-21 Configuring MAC Move Notification 23-2223-23 23-24
Related manuals
Manual 74 pages 38.06 Kb