Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

stateful &statelees firewall

i m little confuse need your help.Stateful firewall in which state create whn packet comes from lower interface to higher interface it first check stateful if connection there packet allow if not pakect deny

stateless no connection table create

then which thing allow lower interface packet to come higher interface packet in stateless firewall?

which thing create connection table

is it access-list or global group policy?

Cisco Employee

Re: stateful &statelees firewall

Please check the details on stateless firewall working on this link under the heading "II. MATCHING AND MAINTAINING BI-DIRECTIONAL FLOW STATE: STATEFUL FIREWALL"

I hope this helps.

New Member

Re: stateful &statelees firewall


"Packet-filtering(stateless) firewalls validate packets based on protocol, source and/or destination IP addresses, source and/or destination port numbers, time range, Differentiate Services Code Point (DSCP), type of service (ToS), and various other parameters within the IP header. Packet filtering is generally accomplished using Access Control Lists (ACL) on routers or switches and are normally very fast, especially when performed in an Application Specific Integrated Circuit (ASIC). As traffic enters or exits an interface, ACLs are used to match selected criteria and either permit or deny individual packets."


Hall of Fame Super Blue

Re: stateful &statelees firewall


With a stateless firewall it is purely down to the access-list applied to the incoming interface, although to call it a firewall is stretching the point somewhat.

The important thing to remember is that if the device is stateless each individual packet is treated in isolation, ie it is not seen as part of a connection, it is simply seen as an individual packet with a src/dst IP, src/dst port etc. and it is checked in isolation against the acl.