This section looks into some of commonly asked questions and confusions regarding CBAC in a question-and-answer format.
1
Is load balancing possible with CBAC?
Answer:
Yes, if it is in the same router, but be sure to apply the same ACL on both the interfaces which participate in load-balancing the traffic.
2
With which features does the Cisco IOS Firewall not interoperate?
Answer:
The Cisco IOS Firewall does not interoperate with the following features: TCP intercept Asymmetric routing, where ingress and egress are two different routers; Load-balancing, where ingress and egress are two different routers.
Layer 4 and Layer 7 inspection of fragmented packets is not supported.
The Cisco IOS Firewall operation with Server Load Balancing (SLB) has not been tested.
3
Does CBAC work with standard ACL on the opposite direction of the CBAC inspection rule?
Answer:
No. Because the ACE in the ACL is created based on snm5-tuples which are based on Layer 4 information; you must have extended ACL configured so that ACE can be created by CBAC.
4
Does Cisco IOS Firewall work with fast switching?
Answer:
Yes, the firewall works with all high-performance switching modes that the platform supports, including Cisco Express Forwarding (CEF), flow, fast and process switching modes.
5
Does the firewall work with Channelized T1 by applying distinct policies to different channel groups?
Answer:
Yes. The same is true when distinct policies are applied to different Frame Relay subinterfaces.
6
Can non-IP protocols be routed while using Cisco IOS Firewall?
Answer:
Yes, other protocols such as Internetwork Packet Exchange [IPX] and AppleTalk can function alongside the firewall technology, but the firewall will not inspect associated traffic.