Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Traffic problems on Cisco edge router with BGP and CBAC.

Posted on 2003-03-15
5
Medium Priority
?
701 Views
Last Modified: 2013-11-29
Hello,

Looking in Google, for some hints related to CBAC - BGP interference I found in EXE:
> What you have to be careful of on the edge routers is any stateful configurations like CBAC or
> other IOS Firewall features i.e. ip-inspect, and be very careful in your access-lists...
I am stuck in apparently same type of problem: a Cisco 3662 with CBAC (ip inspect..., including ip inspect name...tcp, udp and ftp) and BGP with 2 neighbours, running ok for one month, then suddenly almost all tcp traffic is blocked for a day or so, then again ok, etc. Last time it happened a day ago and our ISP told me about an equipment replacement, but with all the same configuration restored, etc.
When the problem appears, the symptoms are:
- most of the tcp traffic is blocked, mainly http, ftp; icmp is ok
- if the config is reloaded, traffic resumes for 1 to 10 min depending of the traffic load, then it is blocked again
- there aren't significant error messages on the console, except (not sure if always) a FW one: "%FW-4-ALERT_ON: getting aggressive, count (806/1200) current 1-min rate: 1401" (ip inspect set limit, 1400)
- traffic resumes if I include an ip inspect name ... http, but apparently there are some delays, and speed is affected.
The temporary fix is dropping the FW, and using only acl's.

On the Cisco 3662 router there are 2 serial interf, bgp multihomed, and 2 FastEth interf for 2 different networks. Same ip inspect name... in on fasts, same acl in on serials. There is one more acl in on FastEth0/0 for filtering allowed ip's.

Can somebody help me with some (links with) recommendations/precautions when using CBAC on BGP Cisco routers?

Thank you for any hints!

P.S. Sorry, it worth much more than 75 points, I know...
0
Comment
Question by:dannir
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 8142757
The best answer is - don't do it. Been there, done that.

Although Cisco has done a pretty good job with their firewall ios feature set, it is still a kludge on top of IOS, it was not designed as a firewall.

Putting all your eggs in one basket is trouble. You have two providers using BGP for redundency, so it is obviously important to you.

My suggestion is to let the router route and do the bgp thing - that's what it does very very well, and let it provide the first line of defense with some good acls.

Put in a real firewall, ie. PIX, behind the router for the statful packet inspection.

Having said all that, what is the version IOS that you are running?

0
 

Author Comment

by:dannir
ID: 8143012
Thank you!

IOS (tm) 3600 Software (C3660-IO3-M), Version 12.2(8)T5,  RELEASE SOFTWARE (fc1)

You should be right, of course.
The problem is the budget, as we are a university.
However, as you say, I shall renounce to the FW on the edge router!
I can immediately free a Cisco 2651 with FW for one of the networks down the stream on one of the FastEth, and use perhaps a Linux box on the other FastEth interf.
In a couple of months we'll have the support of a larger project. Is PIX the best choice for the money?

On the other hand, I can post the configuration, if you wish.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8143056
IMHO, the PIX is by far the best bang for the buck.

12.2(8)T5 is an Early Deployment release version. Releases are up to 12.2(13)T1 already. Unless you specifically need something from the "T" train, suggest downgrading to latest stable General Deployment release:
12.1(19)
0
 
LVL 5

Expert Comment

by:juliancrawford
ID: 10027439
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: lrmoore {http:#8142757}

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Julian Crawford
EE Cleanup Volunteer
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question