Question on access-list

Answered Question
Jul 10th, 2010
User Badges:
  • Bronze, 100 points or more

Router is a layer 3 or 4 device if your ans is layer 3 then while applying an extended access list on router interface how specifying port no is aloud as it comes under layer 4 protocols?

example:

access-list 101 permit tcp any any eq ftp

access-list 102 permit tcp any any eq bgp


Summary : Extended access-list check IP packet on stateful or stateless nature?


-m

Correct Answer by Nagaraja Thanthry about 6 years 10 months ago

Hello,


The access-lists on the routers are stateless. Even though the access-list operates on layer 4 information, it will not remember about the traffic it has allowed/denied. So, if there is another packet belonging to the same stream comes in, the router has to again look at the access-list and see if that packet is allowed or not. In a stateless firewall, you need rules for both incoming and return traffic (if you are applying access-lists on both outside and inside interface) whereas in a statefull firewall, you just need one access-list allowing incoming requests. The firewall will dynamically open and allow return traffic.


Hope this helps.


Regards,


NT

Correct Answer by Richard Burts about 6 years 10 months ago

m


I do not understand what you are trying to accomplish in your post. Part of it seems to be about whether a router is a layer 3 or layer 4 device. The answer is that a router operates at both layer 3 and layer 4. It makes forwarding decisions based on layer 3 information (destination layer 3 address) and is also aware of layer 4 information (what transport protocol is used and what source and destination ports). So an extended access list is able to match on both source and destination IP address and also on transport protocol and protocol port.


You also seem to be asking whether an access list is stateful or stateless in nature. The best answer is that it depends somewhat on how the access list is being used. Most IOS access lists do not maintain state information and their examination of traffic is stateless. But access lists used in the context of CBAC or IOS firewall do operate in a more stateful manner.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Richard Burts Sat, 07/10/2010 - 20:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

m


I do not understand what you are trying to accomplish in your post. Part of it seems to be about whether a router is a layer 3 or layer 4 device. The answer is that a router operates at both layer 3 and layer 4. It makes forwarding decisions based on layer 3 information (destination layer 3 address) and is also aware of layer 4 information (what transport protocol is used and what source and destination ports). So an extended access list is able to match on both source and destination IP address and also on transport protocol and protocol port.


You also seem to be asking whether an access list is stateful or stateless in nature. The best answer is that it depends somewhat on how the access list is being used. Most IOS access lists do not maintain state information and their examination of traffic is stateless. But access lists used in the context of CBAC or IOS firewall do operate in a more stateful manner.


HTH


Rick

minumathur Sat, 07/10/2010 - 22:56
User Badges:
  • Bronze, 100 points or more

Hi Rick


I am more interested in stateful and stateless nature of access-list, so when we configure extended access-list as " access-list 101 permit TCP any any eq ftp" in router in that case should it consider as stateless or stateful access-list ? please clarify..


Reason i am confuse because source and destination works on layer 3 while "FTP" works of application layer 7.


thank

Minu

Correct Answer
Nagaraja Thanthry Sun, 07/11/2010 - 01:08
User Badges:
  • Cisco Employee,

Hello,


The access-lists on the routers are stateless. Even though the access-list operates on layer 4 information, it will not remember about the traffic it has allowed/denied. So, if there is another packet belonging to the same stream comes in, the router has to again look at the access-list and see if that packet is allowed or not. In a stateless firewall, you need rules for both incoming and return traffic (if you are applying access-lists on both outside and inside interface) whereas in a statefull firewall, you just need one access-list allowing incoming requests. The firewall will dynamically open and allow return traffic.


Hope this helps.


Regards,


NT

Richard Burts Tue, 07/20/2010 - 06:46
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Minu


NT has provided a good answer about stateful/stateless and I would like to clarify a few things. If it were stateful the access list would remember things about previous packets (was there a successful three way handshake to initiate the TCP session, has there been a FIN or a RST to terminate the TCP session, etc). But the access list just looks at the current packet without any knowledge of other packets, so the access list is stateless.


Also when you say:"source and destination works on layer 3 while "FTP" works of application  layer 7." is not quite right. The source and destination addresses are certainly layer 3. But the FTP is looking at the transport layer port numbers and is operating at the transport layer and not at the application layer.


HTH


Rick

Dipesh Patel Sat, 07/10/2010 - 20:52
User Badges:

Dear minumathur ,


Router is the device which uses Layer 3,4,5 sunctions like wise switch will also works for Layer 3 and layer 4 functions. e.g. 3560/3750/4500/6500 switches . Switch is Layer 2 device than also L3 configuration routing can be done on switch. Same way Router can also.


Hope now it's clear.


Rate the helpful post.


Regards,

Actions

This Discussion