Skip to content
Related Articles

Related Articles

Context based Access Control (CBAC)

Improve Article
Save Article
  • Last Updated : 22 Sep, 2021
Improve Article
Save Article

In recent times, Access-list (ACL) were used for packet filtering and protection. ACL works on the sequence of rules provided by the administrator. The rules consist of various permit and deny conditions. But disadvantage of ACL is that it filters the traffic upto transport layer only. 

Therefore, for a low budget firewall functionality, a Cisco router with the proper IOS version is used. We can implement IOS based firewall by 2 methods: 

  1. Context Based Access Control (CBAC) features 
  2. Zone based firewall 

Context access based control (CBAC) – 
The ACLs provide traffic filtering and protection to the transport layer while on the other hand, CBAC provides the same function upto the application layer. With the help of CBAC configuration, the router can act as a firewall. 

Working – 
CBAC just works like a reflexive Access-list but in addition to it, it maintains a state table in which the sessions are maintained in memory. When a session is initiated by the device within the network, a dynamic entry is put in the state table and the outbound (going out) traffic is allowed to pass through the router(IoS based firewall). By the help of this entry, the reply of outbound traffic can pass the router (IoS based firewall) as it has an entry for the traffic initiated within the network. This is achieved by IoS based firewall CBAC mechanism as it opens temporary holes on access list (applied to the inbound traffic) to allow reply packets . 

Features – Some of the features of CBAC are: 

  1. Inspecting traffic – CBAC maintains TCP /UDP information which is needed to perform deeper inspection in packet payload. 
  2. Filtering traffic – CBAC filters the traffic which is originated from a trusted network and goes out through the firewall and allows replies only if it has an entry in the state table. It has the ability to filter the traffic intelligently upto layer 7. 
  3. Detecting intrusion – CBAC examines the rate at which the connection has been established by which it can detect attacks like Dos attack, TCP syn attack etc. On the basis of this, CBAC mechanism can cause a connection to reestablish or drop malicious packets. 
  4. Generating alerts and audits – The router operating CBAC mechanism log information about connections established, number of bytes sent, source and destination IP address. 

Configuration – 


There are 3 routers namely router1 (ip address – on fa0/0), router2 (ip address- on fa0/0 and on fa0/1) and router3 (ip address – First, we will give routes, through EIGRP, to all the routers so that routers will be able to ping each other. 
After that We will make router3 as ssh server and router2(on which CBAC will be operating) will allow the traffic only if the traffic has been inspected by router2. 

First configuring EIGRP on router1: 

router1(config)#router eigrp 100
router1(config-router)#no auto-summary 

Now, configuring EIGRP on router2 to reach other networks: 

router2(config)#router eigrp 100
router2(config-router)#no auto-summary

Now, configuring eigrp on router3: 

router3(config)#router eigrp 100
router3(config-router)#no auto-summary

Now, we will configure ssh on router3: 

router3(config)#ip domain name
router3(config)#username saurabh password cisco
router3(config)#line vty 0 4
router3(config-line)#transport input ssh
router3(config-line)#login local 
router3(config)#crypto key generate rsa label modulus 1024

Now, we will make an Access-list on router2 by which we will deny all the traffic except EIGRP because EIGRP will maintain the reachability to all the routers. 

router2(config)#ip Access-list extended 100
router2(config-ext-nacl)#permit eigrp any any 
router2(config-ext-nacl)#deny ip any any

Now, applying it to the interface: 

router2(config)#int fa0/1
router2(config-if)#ip access-group 100 in

Now, router1 will not able to ssh router3 as we have applied access-list which will accept Eigrp packets only and deny all other packets. 
Now, configure CBAC on router2 to inspect the ssh traffic (Only that traffic will be allowed which will be inspected by the IoS router operating CBAC. 

router2(config)#ip inspect name Cisco ssh

The first command (!cbac) will enable cbac feature while the second command will inspect the ssh traffic. 
Now, applying inspection to the interface: 

router2(config)#int fa0/1
router2(config-if)#ip inspect cisco out

Now, router1 will able to ssh router3 as the ssh packet is first inspected by the router2 when it leaves the outbound (fa0/1) interface (as we have configured). 
This can be verified by: 

router2#show ip inspect all

Note – 
Here, Access-list has been applied inbound and CBAC has been applied out because we want only that traffic to come from outside the network which has been initiated by the inside network ( CBAC which is applied outbound to the interface (into fa0/1) create temporary holes on the Access-list applied inbound to the interface to allow return packets through the ACL. 

Limitations – Some of the limitations of cbac mechanisms are: 

  1. CBAC is not simple to understand i.e it requires detailed knowledge of protocols and operations we want to perform. 
  2. CBAC mechanism cannot inspect traffic originated from the router (on which we have configured CBAC) itself. 
  3. No stateful table fail over support. If one router fails then another redundant router can be used as a CBAC firewall but the state table will not get duplicated therefore state table has to be rebuild causing some connection to be rebuilt. 
  4. It does not inspect encrypted packets such as IPsec. 


My Personal Notes arrow_drop_up
Related Articles

Start Your Coding Journey Now!