In the last chapter, you were introduced to one method of providing stateful filtering with the Cisco IOS: reflexive ACLs (RACLs). This chapter focuses on Context-based Access Control (CBAC), one of the key features in the Cisco IOS Firewall feature set. As you will see at the beginning of this chapter, CBAC has many more features and fewer limitations than RACLs. Cisco recommends that you use CBAC instead of RACLs; you will understand why by the end of this chapter.
CBAC is just one of many features of the Cisco IOS Firewall feature set. The Cisco IOS Firewall also supports other features, including authentication proxy (Chapter 14, "Authentication Proxy") and an intrusion-detection system (Chapter 16, "Intrusion-Detection System"). This chapter focuses only on CBAC, which implements the Cisco IOS Firewall feature set's stateful filtering. I begin by introducing some Cisco IOS Firewall features, and then I discuss features specific to CBAC and how to configure CBAC.