[c-nsp] Cisco CBAC one stateful rule on an interface bypasses rules on other interfaces
Lukasz Bromirski
lukasz at bromirski.net
Sat Dec 13 13:31:41 EST 2025
Marco,
> On 12 Dec 2025, at 21:10, Marco Moock via cisco-nsp <cisco-nsp at puck.nether.net> wrote:
>
> Am 11.12.2025 um 11:24:51 Uhr schrieb Lukasz Bromirski:
>
>> First of all, you should move to ZBFW from CBAC, CBAC is deprecated.
>
> Is the behavior there different?
Yes, unfortunately (IMHO). With ZBFW you'll be closer to your idea with ACLs that
you'll have to include to pass the traffic because inspection by default doesn't open
everything. Best way to avoid doing that is to apply different policy-pairs between
the same interfaces in both directions, but this quickly becomes complex.
--
Ćukasz Bromirski
CCIE R&S/SP #15929, CCDE #2012::17, PGP Key ID: 0xFD077F6A
More information about the cisco-nsp
mailing list