The first one is the option to use Globally Applied access lists. This is a big deal, as cisco firewall policies have always been interface based. It's one of the barriers that administrators of other devices find when starting to use PIX/ASA/IOS firewalls. The last couple of years have seen a couple of changes that indicated a move in that direction. We had zone based firewall (now the recommended way to firewall on IOS), where controls are applied between zones rather than interfaces. Now ASA (not PIX btw) move to global access lists.
Is it better? That's going to turn into a religious argument I suspect. Some people like the idea that you have one policy where rules are configured, and one place only. You can argue that this simplifies configuration, especially on devices that have multiple occasional administrators, as you don't need to look in multiple places to find where rules are configured.
Others (probably people like me who are very used to the PIX way of doing things) would argue that per-interface configuration means shorter more specific access lists per interface, meaning you've less to look through to find a rule - you just need to know what you're doing to make sure you look in the right place.. Time will tell what become the prevalent method, and it'll be interesting to see whether Cisco optimize performance towards one method or another (like ZBF being the 'optimised' method on ISR routers)..
The second big change is the 'simplification' of NAT.. I've not finished reading up on this yet, but the bit I don't like is the bit in the release notes where it says that legacy configuration will be automatically upgraded. That sounds like something which will need a lot of testing before we're all confident in making live upgrades.. For me, I'd rather see an option to use either method, just for a version or two.
Location:Fingrean Rd,,United Kingdom
0 comments:
Post a Comment