Friday, April 17, 2009

CBAC - Context Based Access Control

CBAC performs a similar function to refelexive acls. With CBAC however there’s much more granular control on the type of sessions monitored, along with the allowed session thresholds and timers (see ip inspect ? For types of control allowed).


R1 (trusted) --------- FA0/0 R2 S1/0 ---------- R3 (untrusted)

In this example no inbound tcp sessions are allowed into the protected network however R1 is allowed tcp access out to the untrusted network (R3). A standard blocking acl is applied to the outside interface on R2

access-list 100 deny tcp any any
access-list 100 deny udp any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit eigrp any any
access-list 100 deny ip any any

interface S1/0
ip access-group 100 in


With this config R1 can ping R3 but cannot telnet to it.

I create an inpsection rule to examine all tcp traffic. I apply the inspection rule to interface Ethernet0/0 to inspect traffic from users on the protected network. When CBAC detects tcp traffic from the protected network, CBAC will create a dynamic entry in access list 100 to allow return traffic.

Router_2(config)#ip inspect name RICH tcp
Router_2(config)#int fa0/0
Router_2(config-if)#ip inspect RICH in


Unlike reflexive acls there is no explicit reference required in the acl on the untrusted interface - initially a source of some confusion for me!!! CBAC will add dynamic entries and open up access without it.

With the above config R1 can now initiate a telnet connection to R3

Verification commands on R2

#show ip inspect all
#show access-list 100

Alternatively the inpsect rule can be applied on the untrusted interface in the out direction achieving the same net result.

Router_2(config)#int s1/0
Router_2(config-if)#ip inspect RICH out

No comments: