router-traffic for CBAC

CBAC is the upgrade version of flexible access control. Since access list is not stateful control, which means, if very strict access list applied in Outside interface for inbound traffic, most of traffic initialized from Inside subnet will be blocked. CBAC help us to inspect specified outgress traffic and put state in the state table. When the traffic comes back, the Outside interface won’t block them out.

However, the interesting problem is, if the traffic initilized from local router, the inspection won’t take effect. Like we want to capture transit package by issue “no ip route-cache”, we need to add “router-traffic” option when define CBAC.

ip inspect name INSIDE_OUT tcp router-traffic

Comments are closed.