IOS firewall or router?

Unanswered Question
Aug 7th, 2008


i have a perimeter router cluster with an asa cluster and another firewall cluster protecting my corporate network

i'm hardening my perimeter at the moment but i was toying with the idea of using the perimeter routers in Classic IOS firewall mode rather than as routers with ACLS

has anyone any views/experience of this

i know i should be well enough protected but i think the classic ios would provide better manageability of the routers as config would be replicated across an IOs cluster rather than having to configre 2 hsrp routers

thanks to anyone taking the time to read or reply to this

all views greatly appreciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Thu, 08/07/2008 - 04:29

I would highly recommend as long as there are no performance delays. Go for a testing phase before the final implementation. Stateless ACLs can be a pain to maintain.



mulhollandm Thu, 08/07/2008 - 04:34


are you recommending the classic firewall?

thanks for your reply

Farrukh Haroon Thu, 08/07/2008 - 05:18

Classical Firewall (CBAC) is still better than ACLs. However most new features/inspections will be released for the Zone-based Firewall only. As per Cisco: "Cisco IOS Software Classic Firewall will continue to be

maintained for the foreseeable future, but will not be significantly enhanced with new features."

Have a look at this document for a comparison and hardware support:

Specially Table 1 and 2




This Discussion