Using Context-Based Access-Lists
You want to use your router as a Firewall to perform advanced filtering functionality.
The following example shows how to configure the router to perform stateful inspection of TCP or UDP packets:
configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#
access-list 166 deny ip any anyRouter1(config)#
access-list 167 permit tcp any any eq telnetRouter1(config)#
ip inspect name
ip access-group 166 inRouter1(config-if)#
ip access-group 167 outRouter1(config-if)#
Cisco’s Firewall IOS feature set must be installed on a router before you can configure Context-Based Access-Lists.
Context-Based Access Control (CBAC) has been available as part of the IOS Firewall feature set since 11.2(P). CBAC does a stateful inspection of TCP and UDP packets to manage sessions as they pass through the router. It uses this state information to dynamically modify existing extended ACLs to control the active sessions. CBAC can also monitor and manage sessions based on application type and can identify, terminate, or log suspicious activity.
CBAC provides much greater security than a regular filtering ACL because it uses features similar to those found in dedicated Firewalls. In fact, the IOS Firewall feature set, including CBAC, makes an excellent firewall for small ...
Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.