[c-nsp] Reflexive ACLs or CBAC on 6500

Tassos Chatzithomaoglou achatz at forthnet.gr
Mon Jan 28 11:03:54 EST 2008


Thanks Brian & Roland,

I guess i'll stick with the ACLs then.

Imho, cisco should put out a warning when configuring these features.

Regards,
Tassos

Brian Stiff (bstiff) wrote on 27/1/2008 7:07 πμ:
> Hi Tassos-
> 
> While YMMV, the IOS Firewall product management team has been
> discouraging use of IOS Firewall Inspection (CBAC) on the Cat6K for some
> time.  For whatever reason, I can't locate the IOSFW EoL page, but
> please have a look at a link from last year:
> 
> http://puck.nether.net/pipermail/cisco-nsp/2007-June/041176.html
> 
> You may find that Classic FW is entirely adequate for your application.
> However, in the event that it works badly (as Roland pointed out that it
> may), there won't be much recourse for a resolution.  ASA is Cisco's
> best option for inspection with a Cat 6K.
> 
> Regards,
> Brian
> 
> 
> 
> Brian Stiff
> 720.562.6462
> IOS Firewall
> Technical Marketing Eng.
> Security Technology Group
> http://www.cisco.com/go/iosfw
>  
> 
>> Date: Fri, 25 Jan 2008 12:19:20 +0200
>> From: Tassos Chatzithomaoglou <achatz at forthnet.gr>
>>
>> Has anyone real world experience of using these 2 features 
>> (Reflexive ACLs or CBAC) on 6500 with
>> MSFC2 (SUP2) or MSFC3 (SUP720)?
>>
>> If i understand right (according do the documentation) both 
>> are processed in software in the MSFC, so that's going to 
>> hurt a little.
>>
>> Are there any hidden limitations?
>> Does MSFC3 perform better than MSFC2?
>> Should we prefer one instead of the other?
>> Can we use both at the same time?
>>
>> We're already using FWSM on our main 6500s, but we have some 
>> "spare" 6500s (for test servers mainly) and we'd like to 
>> implement something "better" (and easier to maintain) than 
>> simple ACLs.
>>
>> --
>> Tassos
>>
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


More information about the cisco-nsp mailing list