[c-nsp] Reflexive ACLs or CBAC on 6500 (Tassos Chatzithomaoglou)

Brian Stiff (bstiff) bstiff at cisco.com
Sun Jan 27 00:07:53 EST 2008


Hi Tassos-

While YMMV, the IOS Firewall product management team has been
discouraging use of IOS Firewall Inspection (CBAC) on the Cat6K for some
time.  For whatever reason, I can't locate the IOSFW EoL page, but
please have a look at a link from last year:

http://puck.nether.net/pipermail/cisco-nsp/2007-June/041176.html

You may find that Classic FW is entirely adequate for your application.
However, in the event that it works badly (as Roland pointed out that it
may), there won't be much recourse for a resolution.  ASA is Cisco's
best option for inspection with a Cat 6K.

Regards,
Brian



Brian Stiff
720.562.6462
IOS Firewall
Technical Marketing Eng.
Security Technology Group
http://www.cisco.com/go/iosfw
 

> Date: Fri, 25 Jan 2008 12:19:20 +0200
> From: Tassos Chatzithomaoglou <achatz at forthnet.gr>
> 
> Has anyone real world experience of using these 2 features 
> (Reflexive ACLs or CBAC) on 6500 with
> MSFC2 (SUP2) or MSFC3 (SUP720)?
> 
> If i understand right (according do the documentation) both 
> are processed in software in the MSFC, so that's going to 
> hurt a little.
> 
> Are there any hidden limitations?
> Does MSFC3 perform better than MSFC2?
> Should we prefer one instead of the other?
> Can we use both at the same time?
> 
> We're already using FWSM on our main 6500s, but we have some 
> "spare" 6500s (for test servers mainly) and we'd like to 
> implement something "better" (and easier to maintain) than 
> simple ACLs.
> 
> --
> Tassos
> 
> 


More information about the cisco-nsp mailing list