CBAC

Rupesh Kashyap · ‎05-19-2009

Hi, I want to confirm on thing. Firewall module is mandatory to enable CBAC ?

Joseph W. Doherty · ‎05-19-2009

Depends what you mean by "firewall module". On software based routers, you'll need an IOS that includes the firewall feature set. On somthing like the 6500, believe you'll need the FWSM (firewall service module - hardware).

Rupesh Kashyap · ‎05-19-2009

It is fine with 6500 switch having fwsm module. What about 3600/2800 router where I have not purchased any Firewall module .. Can I configure CBAC ?

Joseph W. Doherty · ‎05-19-2009

"What about 3600/2800 router where I have not purchased any Firewall module .. Can I configure CBAC ?"

If the IOS supports the firewall feature set (and CBAC), yes.

Rupesh Kashyap · ‎05-19-2009

One more qn for Failover on 6500 FWSM module. Failover vlan should be created on local switch.

"failover lan interface FAILOVER vlan 995

failover link STATEFUL vlan 996".

I am not seeing any vlan 995/996 on local switch ?

Giuseppe Larosa · ‎05-19-2009

Hello Rupesh,

these Vlans 995 and 996 need to exist only at layer2 on the chassis supervisor.

They are L2 trunked to the internal 6 GE etherchannel between chassis and FWSM.

you should use a dedicated physical GE link in vlan 995 between the two chassis

and another GE link for vlan 996 between the two chassis.

Avoid to have vlans 995 and 996 carried on the L2 generic trunk between chassis (that would be preferred by STP if it is 10GE or bundle of multiple GE) or modify STP costs for each vlan so that it is not preferred.

Hope to help

Giuseppe