Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IOS firewall or router?

folks

i have a perimeter router cluster with an asa cluster and another firewall cluster protecting my corporate network

i'm hardening my perimeter at the moment but i was toying with the idea of using the perimeter routers in Classic IOS firewall mode rather than as routers with ACLS

has anyone any views/experience of this

i know i should be well enough protected but i think the classic ios would provide better manageability of the routers as config would be replicated across an IOs cluster rather than having to configre 2 hsrp routers

thanks to anyone taking the time to read or reply to this

all views greatly appreciated

  • Firewalling
3 REPLIES

Re: IOS firewall or router?

I would highly recommend as long as there are no performance delays. Go for a testing phase before the final implementation. Stateless ACLs can be a pain to maintain.

Regards

Farrukh

New Member

Re: IOS firewall or router?

farrukh

are you recommending the classic firewall?

thanks for your reply

Re: IOS firewall or router?

Classical Firewall (CBAC) is still better than ACLs. However most new features/inspections will be released for the Zone-based Firewall only. As per Cisco: "Cisco IOS Software Classic Firewall will continue to be

maintained for the foreseeable future, but will not be significantly enhanced with new features."

Have a look at this document for a comparison and hardware support:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd806f31f9.pdf

Specially Table 1 and 2

Regards

Farrukh

104
Views
0
Helpful
3
Replies
This widget could not be displayed.