[c-nsp] ip inspect router-traffic
Lukasz Bromirski
lukasz at bromirski.net
Mon Dec 29 19:34:55 EST 2025
Marco,
> On 29 Dec 2025, at 11:51, Marco Moock via cisco-nsp <cisco-nsp at puck.nether.net> wrote:
>
> On 28.12.2025 16:34 Lukasz Bromirski wrote:
>
>> a) no, if it’s not there, it’s not supported in this code and I don’t
>> believe it ever was; the last IOS on these boxes was built in
>> November 2020
>
> Ok, did that then include inspection of router-traffic or was that
> never supported?
I'm not authoritative for this, my limited internal search turned
nothing and command reference doesn't seem to show this as an option
as well. So I'd guess the answer is "not".
> I am thinking about moving to the zones, but as the other answers were,
> it does not give me any benefit except that is is the "supported" way
> on current platforms.
Actually, it does. ZBFW has dedicated "self" zone that can be used
to control traffic to and from the router itself:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
--
Łukasz Bromirski | "There's no sense in being precise when you don’t
infosec.exchange/@mr0vka | know what you're talking about.” John von Neumann
More information about the cisco-nsp
mailing list