Transparent Cisco IOS Firewall use cases

The following excerpt from Cisco's related documentation describes the purpose behind a transparent Cisco IOS firewall:

The Transparent Cisco IOS Firewall feature allows users to “drop” a Cisco IOS Firewall in front of their existing network without changing the statically defined IP addresses of their network-connected devices. Thus, users can allow selected devices from a subnet to traverse the firewall while access to other devices on the same subnet is denied.

It is essentially the implementation of Cisco Context-Based Access Control (CBAC) over a Layer 2 device. The advantages here include:

1. The use of a Cisco IOS router - no specialized (and expensive?) firewall device is necessary. It’s kind of like a “poor man’s firewall” but does a decent job.
2. There is no need to modify your subnets, since the device itself transmits frames at layer 2. It’s easy to place on your network with minimal topology changes.
3. It gives you the ability to selectively allow or deny services or hosts within the same subnet.

This is by no means a full-scale security solution, but it can be more than adequate for many small to medium-sized businesses. And it is often the case that you will have a free IOS router lying around, so it often costs next to nothing.

Links

https://www.cisco.com/c/en/us/td/docs/ios/sec_data_plane/configuration/guide/12_4/sec_data_plane_12_4_book/sec_trans_ios_fwall.pdf

https://networklessons.com/cisco/ccie-enterprise-infrastructure/cisco-cbac-configuration-example