CBAC Caveats
As powerful as CBAC is for dynamic inspection and filtering, however, CBAC has some
limitations. You should be aware of a few restrictions and caveats about how CBAC works:
■ CBAC comes after access-list filters are applied to an interface. If an access list blocks a
particular type of traffic on an interface where you are using CBAC to inspect inbound traffic,
that traffic will be denied before CBAC sees it.
■ CBAC cannot protect against attacks that originate inside your network, where most attacks
originate.
■ CBAC works only on protocols that you specify it should inspect, leaving all other filtering
to access lists and other filtering methods.
■ CBAC inspects only TCP- and UDP-transported traffic. It does not inspect any other protocol,
including ICMP.
■ CBAC does not inspect traffic destined to or originated from the firewall router itself, only
traffic that traverses the firewall router.
■ CBAC has restrictions on handling encrypted traffic. See the link in the “Further Reading”
section for more details.