VRF-aware CBAC provides
scalability and low-cost integration without the need for separate firewall devices for each VPN network. In effect, a single
physical router running multiple virtual routing instances (emulating multiple routers) can now run multiple virtual IOS
Firewalls in a single device.
This feature was introduced in IOS Version 12.3(14)T.
Inspection of Router-Generated Traffic
The Cisco IOS Firewall feature is enhanced to support inspection for traffic that was originated by or destined to the CBACconfigured
device. Inspection of router-generated traffic augments CBAC functionality to inspect TCP, UDP, and H.323
connections that have the firewall as one of the connection endpoints. CBAC dynamically opens temporary holes for TCP,
UDP, and H.323 control channel connections to and from the router, and for the data and media channels negotiated over
the H.323 control channels. For example, CBAC can be configured to inspect a Telnet initiated from the CBAC-enabled router
to a device in the unprotected zone, allowing return traffic dynamically without needing to explicitly permit in the access list.
To enable the Router-Generated Traffic inspection feature, use the router-traffic keyword in the ip inspect name
command when configuring CBAC inspection rules.
Pages:
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236