09-21-2011 09:56 AM - edited 03-04-2019 01:41 PM
Hi all
I am planning to implement CBAC in a cisco 3745. Is there any special hardware to be installed ? Also will there be any performance issues with the CBAC installed?
Mukundh
09-21-2011 02:44 PM
Mukundh
There is no specific hardware needed to run CBAC. You just need a feature set that has CBAC included.
As for performance CBAC is peformed in software so yes it can have a significant impact in performance. If your router is already running quite high then it might not be a good idea to use it. If your router is not particularly heavily utilised at the moment then you should be safe to try it but you need to monitor your router performance once you have enabled it.
Jon
09-21-2011 02:54 PM
Thanks Jon.
Can you suggest a good router model which is known for performing well with CBAC?
Mukundh
09-21-2011 02:59 PM
Mukundh
Your 3745 may well perform okay with CBAC. It's not that the 3745 is a bad router for it. It purely depends on what resources the router is already running.
You should be fine with the 3745 as long as the router is not already heavily utilised. So i would give it a go with the 3745, just keep any eye on performance once you haev enabled it.
Jon
09-26-2011 09:02 AM
Thanks Jon
Apart from 3745s, we are planning to implement on 2650s also. Most of 2650s have either 256 MB or 128 MB of DRAM. Plus they do crypto IPSEC with 20 other sites. Is it ok to use a 2650 in this case?
Mukundh
09-28-2011 02:53 PM
Hi Jon
I have a wierd problem after implementing CBAC. The IPSEC traffic works for a while and it drops.
I have the following inspect command
ip inspect name Internet-Traffic tcp
ip inspect name Internet-Traffic udp
ip inspect name Internet-Traffic isakmp
interface FastEthernet0/0
ip inspect Internet-Traffic in
int ser0/0
ip access-group ACL-Policy-Outside-In in
ip access-list extended ACL-Policy-Outside-In
permit icmp 208.86.100.0 0.0.0.63 host 65.127.248.134
permit tcp 208.86.100.0 0.0.0.255 host 65.127.248.134 eq telnet
permit tcp host 208.86.100.42 host 65.127.248.134 eq telnet
permit ip host 208.68.0.198 host 65.127.248.134
permit esp any any
permit tcp any any eq 443
permit udp any any eq 443
permit udp any eq isakmp any eq isakmp
Whenever the IPSEC drops i just apply the "permit ip any any " on the ACL and it works. It works for some time after i remove it and then it drops. Any ideas as to why this happens?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide