|
Question : Traffic problems on Cisco edge router with BGP and CBAC.
|
|
Hello,
Looking in Google, for some hints related to CBAC - BGP interference I found in EXE: > What you have to be careful of on the edge routers is any stateful configurations like CBAC or > other IOS Firewall features i.e. ip-inspect, and be very careful in your access-lists... I am stuck in apparently same type of problem: a Cisco 3662 with CBAC (ip inspect..., including ip inspect name...tcp, udp and ftp) and BGP with 2 neighbours, running ok for one month, then suddenly almost all tcp traffic is blocked for a day or so, then again ok, etc. Last time it happened a day ago and our ISP told me about an equipment replacement, but with all the same configuration restored, etc. When the problem appears, the symptoms are: - most of the tcp traffic is blocked, mainly http, ftp; icmp is ok - if the config is reloaded, traffic resumes for 1 to 10 min depending of the traffic load, then it is blocked again - there aren't significant error messages on the console, except (not sure if always) a FW one: "%FW-4-ALERT_ON: getting aggressive, count (806/1200) current 1-min rate: 1401" (ip inspect set limit, 1400) - traffic resumes if I include an ip inspect name ... http, but apparently there are some delays, and speed is affected. The temporary fix is dropping the FW, and using only acl's.
On the Cisco 3662 router there are 2 serial interf, bgp multihomed, and 2 FastEth interf for 2 different networks. Same ip inspect name... in on fasts, same acl in on serials. There is one more acl in on FastEth0/0 for filtering allowed ip's.
Can somebody help me with some (links with) recommendations/precautions when using CBAC on BGP Cisco routers?
Thank you for any hints!
P.S. Sorry, it worth much more than 75 points, I know...
|
Answer : Traffic problems on Cisco edge router with BGP and CBAC.
|
|
The best answer is - don't do it. Been there, done that.
Although Cisco has done a pretty good job with their firewall ios feature set, it is still a kludge on top of IOS, it was not designed as a firewall.
Putting all your eggs in one basket is trouble. You have two providers using BGP for redundency, so it is obviously important to you.
My suggestion is to let the router route and do the bgp thing - that's what it does very very well, and let it provide the first line of defense with some good acls.
Put in a real firewall, ie. PIX, behind the router for the statful packet inspection.
Having said all that, what is the version IOS that you are running?
|
|
|
|