Transparent Cisco IOS Firewall

Problem

You want to use a router as a Layer 2 Firewall.

Solution

To enable a transparent Firewall, start by enabling Integrated Routing and Bridging (IRB) between to interfaces:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#bridge 1 protocol ieee
Router1(config)#interface FastEthernet0/0
Router1(config-if)#bridge-group 1
Router1(config-if)#interface FastEthernet0/1
Router1(config-if)#bridge-group 1
Router1(config-if)#exit
Router1(config)#bridge irb
Router1(config)#bridge 1 route ip
Router1(config)#interface BVI1
Router1(config-if)#ip address 172.25.1.101 255.255.255.0
Router1(config-if)#no shutdown
Router1(config-if)#end
Router1#

Next, you have to configure the Firewall inspection rules and ACLs:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#ip inspect name OREILLY tcp
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip inspect OREILLY in
Router1(config-if)#exit
Router1(config)#access-list 111 deny tcp any host 172.25.1.102 eq 23
Router1(config)#access-list 111 permit ip any any
Router1(config)#access-list 112 deny ip any any
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip access-group 111 in
Router1(config-if)#interface FastEthernet0/1
Router1(config-if)#ip access-group 112 in
Router1(config-if)#end
Router1#

Discussion

Beginning with IOS Version 12.3(7)T, Cisco introduced the concept of an IOS-based Layer 2 or transparent ...

Get Cisco IOS Cookbook, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.