Traffic problems on Cisco edge router with BGP and CBAC.

Posted on 2003-03-15
Medium Priority
Last Modified: 2013-11-29

Looking in Google, for some hints related to CBAC - BGP interference I found in EXE:
> What you have to be careful of on the edge routers is any stateful configurations like CBAC or
> other IOS Firewall features i.e. ip-inspect, and be very careful in your access-lists...
I am stuck in apparently same type of problem: a Cisco 3662 with CBAC (ip inspect..., including ip inspect name...tcp, udp and ftp) and BGP with 2 neighbours, running ok for one month, then suddenly almost all tcp traffic is blocked for a day or so, then again ok, etc. Last time it happened a day ago and our ISP told me about an equipment replacement, but with all the same configuration restored, etc.
When the problem appears, the symptoms are:
- most of the tcp traffic is blocked, mainly http, ftp; icmp is ok
- if the config is reloaded, traffic resumes for 1 to 10 min depending of the traffic load, then it is blocked again
- there aren't significant error messages on the console, except (not sure if always) a FW one: "%FW-4-ALERT_ON: getting aggressive, count (806/1200) current 1-min rate: 1401" (ip inspect set limit, 1400)
- traffic resumes if I include an ip inspect name ... http, but apparently there are some delays, and speed is affected.
The temporary fix is dropping the FW, and using only acl's.

On the Cisco 3662 router there are 2 serial interf, bgp multihomed, and 2 FastEth interf for 2 different networks. Same ip inspect name... in on fasts, same acl in on serials. There is one more acl in on FastEth0/0 for filtering allowed ip's.

Can somebody help me with some (links with) recommendations/precautions when using CBAC on BGP Cisco routers?

Thank you for any hints!

P.S. Sorry, it worth much more than 75 points, I know...
Question by:dannir
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 79

Accepted Solution

lrmoore earned 300 total points
ID: 8142757
The best answer is - don't do it. Been there, done that.

Although Cisco has done a pretty good job with their firewall ios feature set, it is still a kludge on top of IOS, it was not designed as a firewall.

Putting all your eggs in one basket is trouble. You have two providers using BGP for redundency, so it is obviously important to you.

My suggestion is to let the router route and do the bgp thing - that's what it does very very well, and let it provide the first line of defense with some good acls.

Put in a real firewall, ie. PIX, behind the router for the statful packet inspection.

Having said all that, what is the version IOS that you are running?


Author Comment

ID: 8143012
Thank you!

IOS (tm) 3600 Software (C3660-IO3-M), Version 12.2(8)T5,  RELEASE SOFTWARE (fc1)

You should be right, of course.
The problem is the budget, as we are a university.
However, as you say, I shall renounce to the FW on the edge router!
I can immediately free a Cisco 2651 with FW for one of the networks down the stream on one of the FastEth, and use perhaps a Linux box on the other FastEth interf.
In a couple of months we'll have the support of a larger project. Is PIX the best choice for the money?

On the other hand, I can post the configuration, if you wish.
LVL 79

Expert Comment

ID: 8143056
IMHO, the PIX is by far the best bang for the buck.

12.2(8)T5 is an Early Deployment release version. Releases are up to 12.2(13)T1 already. Unless you specifically need something from the "T" train, suggest downgrading to latest stable General Deployment release:

Expert Comment

ID: 10027439
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: lrmoore {http:#8142757}

Please leave any comments here within the next seven days.

Julian Crawford
EE Cleanup Volunteer

Featured Post

WordPress Tutorial 3: Plugins, Themes, and Widgets

The three most common changes you will make to your website involve the look (themes), the functionality (plugins), and modular elements (widgets).

In this article we will briefly define each again, and give you directions on how to install them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses
Course of the Month14 days, 10 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question