Transparent Cisco IOS Firewall use cases
The following excerpt from Cisco's related documentation describes the purpose behind a transparent Cisco IOS firewall:
The Transparent Cisco IOS Firewall feature allows users to “drop” a Cisco IOS Firewall in front of their existing network without changing the statically defined IP addresses of their network-connected devices. Thus, users can allow selected devices from a subnet to traverse the firewall while access to other devices on the same subnet is denied.
It is essentially the implementation of Cisco Context-Based Access Control (CBAC) over a Layer 2 device. The advantages here include:
- The use of a Cisco IOS router - no specialized (and expensive?) firewall device is necessary. It’s kind of like a “poor man’s firewall” but does a decent job.
- There is no need to modify your subnets, since the device itself transmits frames at layer 2. It’s easy to place on your network with minimal topology changes.
- It gives you the ability to selectively allow or deny services or hosts within the same subnet.
This is by no means a full-scale security solution, but it can be more than adequate for many small to medium-sized businesses. And it is often the case that you will have a free IOS router lying around, so it often costs next to nothing.