| They operate in inline mode. | |
| They operate in promiscuous mode. | |
| They have no potential impact on the data segment being monitored. | |
| They are more vulnerable to evasion techniques than IDS. |
| Only one ACL per protocol, per direction, and per interface is allowed. | |
| Apply the ACL to the interface prior to configuring access control entries to ensure that controls are applied immediately upon configuration. | |
| An "implicit deny" is applied to the start of the ACL entry by default. | |
| ACLs filter all traffic through and sourced from the router. |
| Interface ACLs are applied before zone-based policy firewalls when they are applied outbound. | |
| When configured with the "PASS" action, stateful inspection is applied to all traffic passing between the configured zones. | |
| Policies are applied to traffic moving between zones, not between interfaces. | |
| The firewalls can be configured simultaneously on the same interface as classic CBAC using the ip inspect CLI command. |