Thanks Jon.

Can you suggest a good router model which is known for performing well with CBAC?

Mukundh

Mukundh

Your 3745 may well perform okay with CBAC. It's not that the 3745 is a bad router for it. It purely depends on what resources the router is already running.

You should be fine with the 3745 as long as the router is not already heavily utilised. So i would give it a go with the 3745, just keep any eye on performance once you haev enabled it.

Jon

Thanks Jon

Apart from 3745s, we are planning to implement on 2650s also. Most of 2650s have either 256 MB or 128 MB of DRAM. Plus they do crypto IPSEC with 20 other sites. Is it ok to use a 2650 in this case?

Mukundh

Hi Jon

I have a wierd problem after implementing CBAC. The IPSEC traffic works for a while and it drops.

I have the following inspect command

ip inspect name Internet-Traffic tcp

ip inspect name Internet-Traffic udp

ip inspect name Internet-Traffic isakmp

interface FastEthernet0/0

ip inspect Internet-Traffic in

int ser0/0

ip access-group ACL-Policy-Outside-In in

ip access-list extended ACL-Policy-Outside-In

permit icmp 208.86.100.0 0.0.0.63 host 65.127.248.134

permit tcp 208.86.100.0 0.0.0.255 host 65.127.248.134 eq telnet

permit tcp host 208.86.100.42 host 65.127.248.134 eq telnet

permit ip host 208.68.0.198 host 65.127.248.134

permit esp any any

permit tcp any any eq 443

permit udp any any eq 443

permit udp any eq isakmp any eq isakmp

Whenever the IPSEC drops i just apply the "permit ip any any " on the ACL and it works. It works for some time after i remove it and then it drops. Any ideas as to why this happens?