Cisco Systems 7600 SERIES Firewall Configuration Guidelines and Restrictions, Configuring CBAC on Cisco 7600 Series Routers

23-6

Cisco7600 Series Router Cisco IOS Software Configuration Guide—12.1E

78-14064-04

Chapter23 Con figuring Network Security

Configuring the Cisco IOS Firewall Feature Set

Note Cisco 7600 series routers support the Intrusion Detection System Module (IDSM) (WS-X6381-IDS).

Cisco 7600 series routers do not support the Cisco IOS firewall IDS feature, which is configured with

the ip audit command.

Firewall Configuration Guidelines and Restrictions

Follow these guidelines and restrictions when configuring the Cisco IOS firewall features:

•On other platforms, if you enter the ip inspect command on a port, CBAC modifies ACLs on other

ports to permit the inspected traffic to flow through the network device. On Cisco7600 series

routers, you must enter the mls ip inspect commands to permit traffic through any ACLs that would

deny the traffic through other ports. See the “Configuring CBAC on Cisco 7600 Series Routers”

section on page 23-6.

•With Supervisor Engine 2 and PFC2, reflexive ACLs and CBAC have conflicting flow mask

requirements. When you configure CBAC on a switch with Supervisor Engine 2 and PFC2, reflexive

ACLs are processed in software on the MSFC2.

•CBAC is incompatible with VACLs. You can configure both CBAC and VACLs on the switch but

not in the same subnet (VLAN) or on the same interface.

Note The Intrusion Detection System Module (IDSM) uses VACLs to select traffic. To use the

IDSM in a subnet where CBAC is configured, enter the mls ip ids acl_name interface

command, where acl_name is configured to select traffic for the IDSM.

•To inspect Microsoft NetMeeting (2.0 or greater) traffic, turn on both h323 and tcp inspection.

•To inspect web traffic, turn on tcp inspection. To avoid reduced performance, do not turn on http

inspection to block Java.

•You can configure CBAC on physical ports configured as Layer 3 interfaces and on VLAN

interfaces.

•QoS and CBAC do not interact or interfere with each other.

Configuring CBAC on Cisco 7600 Series Routers

You need to do additional CBAC configuration on the Cisco 7600 series routers. On a network device

other than a Cisco 7600 series router, when ports are configured to deny traffic, CBAC permits traffic to

flow bidirectionally through the port if it is configured with the ip inspect command. The same behavior

applies to any other port that the traffic needs to go through, as shown in this example:

Router(config)# ip inspect name permit_ftp ftp

Router(config)# interface vlan 100

Router(config-if)# ip inspect permit_ftp in

Router(config-if)# ip access-group deny_ftp_a in

Router(config-if)# ip access-group deny_ftp_b out