I have a 2811 Router running 12.4.19 with the IOS Firewall feature set. My question is whether to use the CBAC or Zone-based method of deployment. I have 12 VLANs (wired and wireless) off one FE interface that will need a minimum of three different security levels. In addition there two WAN interfaces (T1 primary and ISDN backup). The future plans include replacing the ISDN backup with an GRE IPSEC VPN off the second FE interface and also creating additional security levels within the wired and wireless VLANs.
I think you can configure CBAC. The Context-Based Access Control (CBAC) feature of the Cisco IOS Firewall Feature Set actively inspects the activity behind a firewall. CBAC specifies what traffic needs to be let in and what traffic needs to be let out by using access lists (in the same way that Cisco IOS uses access lists). However, CBAC access lists include ip inspect statements that allow the inspection of the protocol to make sure that it is not tampered with before the protocol goes to the systems behind the firewall.