Chapter 23 Configuring Network Security

Configuring the Cisco IOS Firewall Feature Set

Note Cisco 7600 series routers support the Intrusion Detection System Module (IDSM) (WS-X6381-IDS). Cisco 7600 series routers do not support the Cisco IOS firewall IDS feature, which is configured with the ip audit command.

Firewall Configuration Guidelines and Restrictions

Follow these guidelines and restrictions when configuring the Cisco IOS firewall features:

Restrictions

On other platforms, if you enter the ip inspect command on a port, CBAC modifies ACLs on other ports to permit the inspected traffic to flow through the network device. On Cisco 7600 series routers, you must enter the mls ip inspect commands to permit traffic through any ACLs that would deny the traffic through other ports. See the “Configuring CBAC on Cisco 7600 Series Routers” section on page 23-6.

With Supervisor Engine 2 and PFC2, reflexive ACLs and CBAC have conflicting flow mask requirements. When you configure CBAC on a switch with Supervisor Engine 2 and PFC2, reflexive ACLs are processed in software on the MSFC2.

CBAC is incompatible with VACLs. You can configure both CBAC and VACLs on the switch but not in the same subnet (VLAN) or on the same interface.

Note The Intrusion Detection System Module (IDSM) uses VACLs to select traffic. To use the IDSM in a subnet where CBAC is configured, enter the mls ip ids acl_name interface command, where acl_name is configured to select traffic for the IDSM.

Guidelines

To inspect Microsoft NetMeeting (2.0 or greater) traffic, turn on both h323 and tcp inspection.

To inspect web traffic, turn on tcp inspection. To avoid reduced performance, do not turn on http inspection to block Java.

You can configure CBAC on physical ports configured as Layer 3 interfaces and on VLAN interfaces.

QoS and CBAC do not interact or interfere with each other.

Configuring CBAC on Cisco 7600 Series Routers

You need to do additional CBAC configuration on the Cisco 7600 series routers. On a network device other than a Cisco 7600 series router, when ports are configured to deny traffic, CBAC permits traffic to flow bidirectionally through the port if it is configured with the ip inspect command. The same behavior applies to any other port that the traffic needs to go through, as shown in this example:

 

 

 

Router(config)# ip

inspect name permit_ftp ftp

 

 

 

Router(config)# interface vlan 100

 

 

 

Router(config-if)#

ip inspect permit_ftp in

 

 

 

Router(config-if)#

ip access-group deny_ftp_a in

 

 

 

Router(config-if)#

ip access-group deny_ftp_b out

 

 

 

Cisco 7600 Series Router Cisco IOS Software Configuration Guide—12.1E

 

 

 

 

 

 

 

 

 

 

23-6

 

 

78-14064-04

 

 

 

 

 

Page 6
Image 6
Cisco Systems 7600 SERIES manual Firewall Configuration Guidelines and Restrictions, 23-6