2811 Router IOS Firewall

Unanswered Question
Mar 20th, 2009
User Badges:

I have a 2811 Router running 12.4.19 with the IOS Firewall feature set. My question is whether to use the CBAC or Zone-based method of deployment. I have 12 VLANs (wired and wireless) off one FE interface that will need a minimum of three different security levels. In addition there two WAN interfaces (T1 primary and ISDN backup). The future plans include replacing the ISDN backup with an GRE IPSEC VPN off the second FE interface and also creating additional security levels within the wired and wireless VLANs.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vmoopeung Thu, 03/26/2009 - 18:47
User Badges:
  • Bronze, 100 points or more

I think you can configure CBAC. The Context-Based Access Control (CBAC) feature of the Cisco IOS Firewall Feature Set actively inspects the activity behind a firewall. CBAC specifies what traffic needs to be let in and what traffic needs to be let out by using access lists (in the same way that Cisco IOS uses access lists). However, CBAC access lists include ip inspect statements that allow the inspection of the protocol to make sure that it is not tampered with before the protocol goes to the systems behind the firewall.

roshan.maskey Mon, 04/06/2009 - 06:13
User Badges:


I would recommend using Zone-Based Firewall. ZFW has more flexibility in inspecting traffic that CBAC FW. ZFW is based on security zone, where as CBAC is associated to interface.

In simple context, ZFW is like extended acl and CBAC is like standard acl.


This Discussion