Common Problems and Resolutions

Is load balancing possible with CBAC?

Yes, if it is in the same router, but be sure to apply the same ACL on both the interfaces which participate in load-balancing the traffic.

With which features does the Cisco IOS Firewall not interoperate?

The Cisco IOS Firewall does not interoperate with the following features: TCP intercept Asymmetric routing, where ingress and egress are two different routers; Load-balancing, where ingress and egress are two different routers.

Layer 4 and Layer 7 inspection of fragmented packets is not supported.

The Cisco IOS Firewall operation with Server Load Balancing (SLB) has not been tested.

Does CBAC work with standard ACL on the opposite direction of the CBAC inspection rule?

No. Because the ACE in the ACL is created based on snm5-tuples which are based on Layer 4 information; you must have extended ACL configured so that ACE can be created by CBAC.

Does Cisco IOS Firewall work with fast switching?

Yes, the firewall works with all high-performance switching modes that the platform supports, including Cisco Express Forwarding (CEF), flow, fast and process switching modes.

Does the firewall work with Channelized T1 by applying distinct policies to different channel groups?

Yes. The same is true when distinct policies are applied to different Frame Relay subinterfaces.

Can non-IP protocols be routed while using Cisco IOS Firewall?

Yes, other protocols such as Internetwork Packet Exchange [IPX] and AppleTalk can function alongside the firewall technology, but the firewall will not inspect associated traffic.