ACLs control access based on protocol, source IP address, destination IP address and ports.
These ACLs are stateless and do not inspect the traffic actually going through the router.
Stateful firewalls can look at Layer 4 to 7 of packets to verify the state of the transmission, and detect whether a port is being piggybacked as well as mitigate some DDoS intrusions.
Cisco Zone Based Firewall is the latest integrated stateful firewall technology in IOS. Zone based firewall reduces the need for a dedicated firewall at a branch site to provide stateful network security.
Cisco Zone Based Firewall uses a flexible and straight forward approach to providing security by establishing security zones.
Router interfaces are assigned to a specific security zone, which can maintain a one to one or many to one relationship.
A zone establishes a security bored on the network and defines acceptable traffic that can pass between these zones.
Interfaces in the same zone can communicate freely with each other by default, interfaces in different zones can not communicate with each other freely.