We are looking at upgrading form cisco 3845s to 3945s as the 3945 is still in support for the duration that we need to keep it around.
One reason for going with the 3945 vs something like an ISR or ISR is ease of migrating the configs.
We have a number of ACLs and inspection statements (including reflexive ACLs) that are in place on the 3845 right now using the classic IOS/CBAC syntax as opposed to zone based FW.
I'm finding some conflicting information on the 3945s and would like to validate that the current ACL/inspect statements in the CBAC syntax will transfer over to the 3945s on a supported code release.
Right now, we have ACLs on the 3845s that use the classic CBAC syntax as shown below
ip access-list extended inlist deny ip x.x.x.x 0.0.0.255 any log-input deny ip x.x.x.x 0.0.0.255 any log-input deny ip x.x.x.x 0.0.0.255 any log-input permit icmp any any permit udp any eq domain any gt 1023 ... evaluate tmplist deny ip any any log-input
ip access-list extended outlist deny ip x.x.x.x 0.0.0.255 any log-input deny ip x.x.x.x 0.0.0.255 any log-input deny ip x.x.x.x 0.0.0.255 any log-input permit icmp any any permit udp any eq domain any gt 1023 permit udp any any eq domain permit tcp any x.x.x.x 0.0.0.255 eq domain ... permit tcp x.x.x.x 0.0.0.255 any reflect tmplist deny ip any any log-input
and inspection policies that look like this
ip inspect alert-off ip inspect max-incomplete high 1000 ip inspect max-incomplete low 1000 ip inspect name PUBLIC_OUT fragment maximum 256 timeout 5 ip inspect name PUBLIC_OUT ftp ip inspect name PUBLIC_OUT icmp ip inspect name PUBLIC_OUT smtp ip inspect name PUBLIC_OUT tcp ip inspect name PUBLIC_OUT udp
And then those policies are applied to their respective interfaces.
Will the 3945 with a supported code release, and/or the latest code release, allow the above CBAC syntax to transfer over from our 3845s? It was my understanding that new newer ISR and ASR series routers only supported the zone based firewall, and in the interest in ease of portability and given that we only need these devices around for a year or two, I wanted to instead purchase 3945s as they are adequately spec'd for our circuits and my hope was to be able to transfer over the CBAC/inspection config exactly as it is now.
However, I can't fully understand if supported code releases on the 3945 support this older CBAC style or if it's all ZBFW now.
how do we restrict a router interfaces from directly connected to Some vlans? can any one help me to figureout?the question is Router should not have interfaces directly connected to Vlan 30 and Vlan 40
I've got a one problem. Me and my friend have the same ISP. I checked my External IP address at WhatIsMyIp.com and my friend do it to. And we saw we have the same External IP.So my question is can 2 routers have the same External IP address?If i'm right 2...
LISP Protocol (Location Identifier Separation Protocol)! - The LISP protocol has become a brilliant stardom with the digital transformation that we are now experiencing. - Today we will talk about the LISP protocol and its advantages and method of p...
SD-Access provides automated end-to-end services (such as segmentation, quality of service, and analytics) for user, device, and application traffic. SD-Access automates user policy so organizations can ensure the appropriate access control and applicati...
Purpose: This document shows you how to create a group-based security policy in Cisco DNA Center.
Security policies determine the types of network traffic permitted or denied between scalable groups. Scalable groups are a critical compo...