- Bronze, 100 points or more
Router is a layer 3 or 4 device if your ans is layer 3 then while applying an extended access list on router interface how specifying port no is aloud as it comes under layer 4 protocols?
access-list 101 permit tcp any any eq ftp
access-list 102 permit tcp any any eq bgp
Summary : Extended access-list check IP packet on stateful or stateless nature?
The access-lists on the routers are stateless. Even though the access-list operates on layer 4 information, it will not remember about the traffic it has allowed/denied. So, if there is another packet belonging to the same stream comes in, the router has to again look at the access-list and see if that packet is allowed or not. In a stateless firewall, you need rules for both incoming and return traffic (if you are applying access-lists on both outside and inside interface) whereas in a statefull firewall, you just need one access-list allowing incoming requests. The firewall will dynamically open and allow return traffic.
Hope this helps.
I do not understand what you are trying to accomplish in your post. Part of it seems to be about whether a router is a layer 3 or layer 4 device. The answer is that a router operates at both layer 3 and layer 4. It makes forwarding decisions based on layer 3 information (destination layer 3 address) and is also aware of layer 4 information (what transport protocol is used and what source and destination ports). So an extended access list is able to match on both source and destination IP address and also on transport protocol and protocol port.
You also seem to be asking whether an access list is stateful or stateless in nature. The best answer is that it depends somewhat on how the access list is being used. Most IOS access lists do not maintain state information and their examination of traffic is stateless. But access lists used in the context of CBAC or IOS firewall do operate in a more stateful manner.