[nsp] CBAC, recommended IOS release anyone?

From: Robert E. Seastrom (rs@seastrom.com)
Date: Mon Mar 11 2002 - 13:22:03 EST


I've been experimenting with the Context-Based Access Control feature,
but a degenerately simple configuration doesn't seem to want to work
properly for me. I grabbed a 7204 out of the junk room and (more or
less randomly) selected c7200-io3s-mz.121-12 as what I was going to
run on it. A simple inspect rule:

ip inspect name foo tcp
ip inspect name foo udp
ip inspect name foo ftp

with access-group:

access-list 105 deny ip host 255.255.255.255 any
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any any time-exceeded
access-list 105 permit icmp any any packet-too-big
access-list 105 permit icmp any any traceroute
access-list 105 permit icmp any any unreachable

when applied thus:

interface FastEthernet0/0
 ...
 ...
 ip access-group 105 in
 ip inspect foo out

works for about half a minute (sessions show up in "show ip inspect
sessions") and then gives up; can't create new sessions and old ones
go dead. I suppose I could be doing something wrong (and any hints
based on what I show above would be greatly appreciated), but in the
interests of eliminating the possibility that a bug of some sort is
making the (very simple) configuration that I'm trying to put in place
misbehave, could someone offer a recommendation of an IOS version to
run for CBAC?

Thanks,

                                        ---Rob



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:07 EDT