CBAC Operation

Cisco describes CBAC services as offering secure, per-application access control for all traffic across perimeters . CBAC performs this service by intelligently filtering TCP and UDP packets based on application layer protocol session information.

CBAC provides secure, per-application access control for all traffic across perimeters.

CBAC intelligently filters TCP and UDP packets based on application layer protocol information.

When it is used for packet inspection, CBAC dynamically creates and deletes ACLs. CBAC uses information with the state table to dynamically create the ACEs that are applied to an interface.

However, CBAC only inspects traffic if ACLs are not blocking the original traffic. Access lists on a router are checked to determine whether traffic is allowed before CBAC gets to inspect traffic. That doesn't seem correct, does it? We just stated that CBAC dynamically creates ACEs. Remember that CBAC creates dynamic ACEs based on information contained within CBAC's state table. CBAC only enters information into the state table if it is able to inspect the traffic. And it is host-sourced, or host-initiated traffic, that is inspected.

Because CBAC is providing denial-of-service (DoS) protection and also managing state-table information for data sessions, CBAC needs to associate threshold values and time values to manage and drop sessions. When we discuss the configuration of CBAC a little later in this chapter, you will see how you can tune the timeouts and thresholds used by CBAC to manage sessions.

Dynamic ACEs are created from information in the state table.

CBAC also provides for DoS protection through the use of several commands. CBAC uses session information and state table information to provide the DoS protections .