We are looking at upgrading form cisco 3845s to 3945s as the 3945 is still in support for the duration that we need to keep it around.
One reason for going with the 3945 vs something like an ISR or ISR is ease of migrating the configs.
We have a number of ACLs and inspection statements (including reflexive ACLs) that are in place on the 3845 right now using the classic IOS/CBAC syntax as opposed to zone based FW.
I'm finding some conflicting information on the 3945s and would like to validate that the current ACL/inspect statements in the CBAC syntax will transfer over to the 3945s on a supported code release.
Right now, we have ACLs on the 3845s that use the classic CBAC syntax as shown below
ip access-list extended inlist deny ip x.x.x.x 0.0.0.255 any log-input deny ip x.x.x.x 0.0.0.255 any log-input deny ip x.x.x.x 0.0.0.255 any log-input permit icmp any any permit udp any eq domain any gt 1023 ... evaluate tmplist deny ip any any log-input
ip access-list extended outlist deny ip x.x.x.x 0.0.0.255 any log-input deny ip x.x.x.x 0.0.0.255 any log-input deny ip x.x.x.x 0.0.0.255 any log-input permit icmp any any permit udp any eq domain any gt 1023 permit udp any any eq domain permit tcp any x.x.x.x 0.0.0.255 eq domain ... permit tcp x.x.x.x 0.0.0.255 any reflect tmplist deny ip any any log-input
and inspection policies that look like this
ip inspect alert-off ip inspect max-incomplete high 1000 ip inspect max-incomplete low 1000 ip inspect name PUBLIC_OUT fragment maximum 256 timeout 5 ip inspect name PUBLIC_OUT ftp ip inspect name PUBLIC_OUT icmp ip inspect name PUBLIC_OUT smtp ip inspect name PUBLIC_OUT tcp ip inspect name PUBLIC_OUT udp
And then those policies are applied to their respective interfaces.
Will the 3945 with a supported code release, and/or the latest code release, allow the above CBAC syntax to transfer over from our 3845s? It was my understanding that new newer ISR and ASR series routers only supported the zone based firewall, and in the interest in ease of portability and given that we only need these devices around for a year or two, I wanted to instead purchase 3945s as they are adequately spec'd for our circuits and my hope was to be able to transfer over the CBAC/inspection config exactly as it is now.
However, I can't fully understand if supported code releases on the 3945 support this older CBAC style or if it's all ZBFW now.
The primary purpose of a switch is to make forwarding decisions based on destination MAC address. The MAC address table is created with a list of destination MAC address for each connected device. In addition the switch port assigned and VLAN member...
Cisco Nexus 1000V cloud switch is a virtual appliance. It provides integration of physical and virtualized network infrastructure. Cisco Nexus 1000V switch is compatible with VMware ESX and vSphere (ESXi) hypervisors. There is a version for Microsoft Hype...
Selecting the proper lab training platform is fundamental to preparing for CCNA certification. Cisco CCNA is a foundational networking certification that requires knowledge of IOS configuration of multiple protocols. So where do you start and what lab tra...
(view in My Videos)
“Use Serviceability Features to Troubleshoot your Cat9K as a Cisco TAC Engineer”
This event took place on Tuesday 1st, December 2020 at 10hrs PDT
This event provides an introduction to the main Cat9K serviceability features. Serv...
This event had place on Tuesday 1st, December 2020 at 10hrs PDT
This event provides an introduction to the main Cat9K serviceability features. Serviceability is the provision of the necessary tools and features to service a Cisco prod...