What are the drawbacks of CBAC?
“If you dont ask, you dont get” is the paradigm here. CBAC does not provide intelligent filtering for ALL protocols. It only works for the protocols that you SPECIFY, hence if a protocol is not specified, the ACL will determine its fate. CBAC is available only for IP protocol traffic. Only TCP and UDP packets are inspected. Other IP traffic, such as ICMP, cannot be inspected with CBAC and should be filtered with basic access lists instead. If you reconfigure your access lists when you configure CBAC, be aware that if your access lists block TFTP traffic into an interface, you will not be able to netboot over that interface. Packets with the firewall as the source or destination address are not inspected by CBAC. CBAC ignores ICMP Unreachable messages. To let specific ICMP traffic to enter, you need to configure the ACL to allow. H.323 V2 and RTSP protocol inspection supports only the following multimedia client-server applications: Cisco IP/TV, RealNetworks RealAudio G2 Player, Apple Q
