Configure a Firewall on Cisco Switch
Access lists are supported for network traffic filtering by the Cisco 850 and Cisco 870 series routers. The routers additionally feature context-based access control, dynamic temporary access lists, and packet inspection (CBAC). Basic traffic filtering is only possible with configured access list implementations, which analyze packets on the network or, at most, the transport layer and decide whether to let them pass through the firewall or not. Dynamic temporary access lists can be created and used in CBAC, but only when inspection criteria are used. The configured access lists at firewall interfaces may temporarily open up due to these dynamic lists. When a specific user session’s traffic leaves the internal network via the firewall, these openings are made. The openings permit re-entering traffic for the chosen session over the firewall, which is ordinarily blocked. To configure this network scenario, complete the following steps:
- Set up Access Lists
- Set up Inspection Rules
- Use Access Lists and Inspection Policies when using Interfaces
1. Set up Access Lists:
To build access lists for the firewall, follow these instructions starting in global configuration mode:
| Step No. | Command | Purpose |
|---|---|---|
| Step 1 |
access-list access-list-number {deny | permit} protocol source source-wildcard [operator [port]] destination Example: Router(config)# access-list 103 deny ip any |
Creates an access list that checks source and destination ports to block internet-initiated traffic from entering the router’s internal (local) network. |
2. Set up Inspection Rules:
Beginning in global configuration mode, carry out the following steps to set up firewall inspection rules for all TCP and UDP traffic as well as certain application protocols as specified by the security policy:
| Step No. | Command or Action | Purpose |
|---|---|---|
| Step 1 |
ip inspect name inspection-name protocol Example: Router(config)# ip inspect name firewall tcp |
Establishes an inspection guideline for a certain protocol. |
| Step 2 |
ip inspect name inspection-name protocol Example: Router(config)# ip inspect name firewall rtsp |
For each inspection rule that you want to employ, issue the same command again. |
3. Use Access Lists and Inspection Policies when using interfaces:
To apply the ACLs and inspection rules to the network interfaces, follow these steps, starting in global configuration mode:
| Step No. | Command | Purpose |
|---|---|---|
| Step 1 |
interface type number Example: Router(config)# interface vlan 1 |
Enables interface configuration mode for the router’s internal network interface. |
| Step 2 |
ip inspect inspection-name {in | out} Example: Router(config-if)# ip inspect firewall in |
The router’s internal interface is given a set of firewall inspection rules. |
| Step 3 |
exit Example: Router(config-if)# exit |
Brings back the mode for global configuration. |
| Step 4 |
interface type number Example: Router(config)# interface fastethernet 4 |
Enables interface configuration mode for the router’s outside network interface. |
| Step 5 |
ip access-group {access-list-number | access-list-name}{in | out} Example: Router(config-if)# ip access-group 103 in |
Assigns the specified ACLs to the router’s outside interface. |
| Step 6 |
exit Example: Router(config-if)# exit |
Brings back the mode for global configuration. |
How to Configure a Firewall in Cisco Switch?
A firewall is a type of network security device component that is used to keep track of incoming and outgoing network traffic and then make decisions regarding the traffic i.e., which traffic to allow or deny in accordance with a set of security rules.