[c-nsp] Reflexive ACLs or CBAC on 6500
Tassos Chatzithomaoglou
achatz at forthnet.gr
Mon Jan 28 11:03:54 EST 2008
Thanks Brian & Roland,
I guess i'll stick with the ACLs then.
Imho, cisco should put out a warning when configuring these features.
Regards,
Tassos
Brian Stiff (bstiff) wrote on 27/1/2008 7:07 πμ:
> Hi Tassos-
>
> While YMMV, the IOS Firewall product management team has been
> discouraging use of IOS Firewall Inspection (CBAC) on the Cat6K for some
> time. For whatever reason, I can't locate the IOSFW EoL page, but
> please have a look at a link from last year:
>
> http://puck.nether.net/pipermail/cisco-nsp/2007-June/041176.html
>
> You may find that Classic FW is entirely adequate for your application.
> However, in the event that it works badly (as Roland pointed out that it
> may), there won't be much recourse for a resolution. ASA is Cisco's
> best option for inspection with a Cat 6K.
>
> Regards,
> Brian
>
>
>
> Brian Stiff
> 720.562.6462
> IOS Firewall
> Technical Marketing Eng.
> Security Technology Group
> http://www.cisco.com/go/iosfw
>
>
>> Date: Fri, 25 Jan 2008 12:19:20 +0200
>> From: Tassos Chatzithomaoglou <achatz at forthnet.gr>
>>
>> Has anyone real world experience of using these 2 features
>> (Reflexive ACLs or CBAC) on 6500 with
>> MSFC2 (SUP2) or MSFC3 (SUP720)?
>>
>> If i understand right (according do the documentation) both
>> are processed in software in the MSFC, so that's going to
>> hurt a little.
>>
>> Are there any hidden limitations?
>> Does MSFC3 perform better than MSFC2?
>> Should we prefer one instead of the other?
>> Can we use both at the same time?
>>
>> We're already using FWSM on our main 6500s, but we have some
>> "spare" 6500s (for test servers mainly) and we'd like to
>> implement something "better" (and easier to maintain) than
>> simple ACLs.
>>
>> --
>> Tassos
>>
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list