12-14-2013 12:08 PM - edited 03-11-2019 08:17 PM
I am just getting into my CCNA Security and am learning the differences between ZBF and CBAC and I know there are definately beneifts of this. My company currently uses CBAC implementation on their branch routers probably only because the majority of them have an older IOS that doesn't support ZBF. My question is what kind of overhead is used in comaprison from CBAC to ZBF?
I am going through one of our newer routers that I am using as a guinea pig and as I am going through the configuration, I would think that using implemeting ZBF is going to cost more in overhead that it does with a CBAC. I am not too concerned about this with our newer sites because they are all running 2901's and have a pretty good CPU in them currently. What I am concerned about is if I were to upgrade the IOS in our other routers, which are 1841's, that the CPU may not like the ZBF implementation.
any thoughts on this would be wonderful!
Thanks in advance.
Solved! Go to Solution.
12-14-2013 09:18 PM
Hello Jason,
Being a Ex-Cisco Security Tac Engineer that loved to handle IOS FW issues I can ensure ZBFW is the way to go.
Way more flexible in policy configuration, tshoot, etc ,etc.
Regarding the CPU ZBFW is not a feature that will take the performance of your router down like the IOS IPS is well known to do
I would actually recommend you to read and investigate about the benefits of one over the other bud.
As long as you can run 12.4(6)T you will be fne.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-14-2013 09:18 PM
Hello Jason,
Being a Ex-Cisco Security Tac Engineer that loved to handle IOS FW issues I can ensure ZBFW is the way to go.
Way more flexible in policy configuration, tshoot, etc ,etc.
Regarding the CPU ZBFW is not a feature that will take the performance of your router down like the IOS IPS is well known to do
I would actually recommend you to read and investigate about the benefits of one over the other bud.
As long as you can run 12.4(6)T you will be fne.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-17-2013 07:16 AM
Julio,
Thanks for the insight. I am actually going through working on a configuration as we speak and am already running into a couple of dufferent issues that I will probably post in a different post.
Thanks for the help,
12-17-2013 09:20 AM
Hello Jason,
Glad to know that I could help,
Let me know when you open the discussions so I can help, You can mark this question as answered.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: