As discussed earlier, the dynamic ACL entry is a result of
the corresponding connection information found in the session table that validates the session as being legitimate; therefore,
checking the packet against the inbound and outbound ACL entries was deemed redundant and no longer necessary. The
extra checks can be eliminated to save CPU cycles. Bypassing the ACL check enhancement subjects the packet to one search
only (the session table) during the packet processing path through the router. Figure 5-6 shows how this works. The primary
benefit in this feature is that the performance of the packet throughput is improved by approximately 10%.
Figure 5-6. Firewall ACL Bypass??”Order of Packet Processing
[View full size image]
Because the firewall ACL bypassing is performed by default, you can configure CBAC inspection as normal. This feature is
transparent to the user, and no additional commands are required to enable or disable it.
This feature was introduced in IOS Version 12.3(4)T.
Transparent IOS Firewall (Layer 2)
The transparent IOS Firewall feature (also known as Layer 2 firewall) acts as a Layer 2 transparent bridge with CBAC
inspection configured on the Bridged Virtual Interface (BVI).
Pages:
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232