08-07-2008 04:01 AM - edited 03-11-2019 06:27 AM
folks
i have a perimeter router cluster with an asa cluster and another firewall cluster protecting my corporate network
i'm hardening my perimeter at the moment but i was toying with the idea of using the perimeter routers in Classic IOS firewall mode rather than as routers with ACLS
has anyone any views/experience of this
i know i should be well enough protected but i think the classic ios would provide better manageability of the routers as config would be replicated across an IOs cluster rather than having to configre 2 hsrp routers
thanks to anyone taking the time to read or reply to this
all views greatly appreciated
08-07-2008 04:29 AM
I would highly recommend as long as there are no performance delays. Go for a testing phase before the final implementation. Stateless ACLs can be a pain to maintain.
Regards
Farrukh
08-07-2008 04:34 AM
farrukh
are you recommending the classic firewall?
thanks for your reply
08-07-2008 05:18 AM
Classical Firewall (CBAC) is still better than ACLs. However most new features/inspections will be released for the Zone-based Firewall only. As per Cisco: "Cisco IOS Software Classic Firewall will continue to be
maintained for the foreseeable future, but will not be significantly enhanced with new features."
Have a look at this document for a comparison and hardware support:
Specially Table 1 and 2
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide