Name: Cisco 7604
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

44-2

Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX

OL-4266-08

Chapter 44 Configuring the Cisco IOS Firewall Feature Set

Cisco IOS Firewall Guidelines and Restrictions

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/fsecur_r.html

The following features are supported with and without the use of a Cisco IOS firewall image:

• Standard access lists and static extended access lists

• Lock-and-key (dynamic access lists)

• IP session filtering (reflexive access lists)

• TCP intercept

• Security server support

• Network address translation

• Neighbor router authentication

• Event logging

• User authentication and authorization

Note Cisco 7600 series routers support the Intrusion Detection System Module (IDSM) (WS-X6381-IDS).

Cisco 7600 series routers do not support the Cisco IOS firewall IDS feature, which is configured with

the ip audit command.

Cisco IOS Firewall Guidelines and Restrictions

When configuring the Cisco IOS firewall features, follow these guidelines and restrictions:

• On other platforms, if you enter the ip inspect command on a port, CBAC modifies ACLs on other

ports to permit the inspected traffic to flow through the network device. On Cisco 7600 series

routers, you must enter the mls ip inspect command to permit traffic through any ACLs that would

deny the traffic through other ports. Refer to the “Additional CBAC Configuration” section on

page 44-3 for more information.

• Reflexive ACLs and CBAC have conflicting flow mask requirements. Reflexive ACLs are processed

in software on the MSFC.

• CBAC is incompatible with VACLs. You can configure CBAC and VACLs on the router but not in

the same subnet (VLAN).

Note The Intrusion Detection System Module (IDSM) uses VACLs to select traffic. To use the

IDSM in a subnet where CBAC is configured, enter the mls ip ids acl_name interface

command, where acl_name is configured to select traffic for the IDSM.

• To inspect Microsoft NetMeeting (2.0 or greater) traffic, turn on both h323 and tcp inspection.

• To inspect web traffic, turn on tcp inspection. To avoid reduced performance, do not turn on http

inspection to block Java.

• QoS and CBAC do not interact or interfere with each other.

• You can configure CBAC on physical ports configured as Layer 3 interfaces and on VLAN

interfaces.

• You cannot configure VACLs and CBAC on the same interface.

Cisco 7604 User Manual

Questions and Answers: