08-01-2010 11:17 PM - edited 03-06-2019 12:16 PM
Hello
Are the ACLs in Catalyst 3560 works like stateful or stateless firewall in latest software version?
Solved! Go to Solution.
08-02-2010 08:12 AM
alexandrfedchenko wrote:
Hello
Are the ACLs in Catalyst 3560 works like stateful or stateless firewall in latest software version?
Alexandr
Standard and extended acls on all devices are stateless ie. they check each packet in isolation. You can use the keyword "established" in an extended acl for TCP connections to check the syn/ack in the packets and you can use reflexive access-lists which are a little more stateful although i'm not sure the 3560 supports reflexive acls.
Jon
08-02-2010 05:30 AM
AFAIK if you use reflexive ACL then it is statefull, if you use the normal ACL then it would be stateless.
08-02-2010 08:12 AM
alexandrfedchenko wrote:
Hello
Are the ACLs in Catalyst 3560 works like stateful or stateless firewall in latest software version?
Alexandr
Standard and extended acls on all devices are stateless ie. they check each packet in isolation. You can use the keyword "established" in an extended acl for TCP connections to check the syn/ack in the packets and you can use reflexive access-lists which are a little more stateful although i'm not sure the 3560 supports reflexive acls.
Jon
08-02-2010 11:16 PM
i'm not sure the 3560 supports reflexive acls
No, it isn't.
The switch does not support these Cisco IOS router ACL-related features:
•Non-IP protocol ACLs (see Table 34-1) or bridge-group ACLs
•IP accounting
•Inbound and outbound rate limiting (except with QoS ACLs)
•Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch clustering feature)
•ACL logging for port ACLs and VLAN maps
Many thanks to all.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: