Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Diff in using Router and Firewall for controlling Access

We can restrict access to a subnet/network in a router by using Access-Lists, similarly in a Firewall we use access-lists to control access,then what is the fun of using Firewalls or is there any specefic reason/advantage of using firewalls in a network.

Hall of Fame Super Blue

Re: Diff in using Router and Firewall for controlling Access

Hi Susheel

It depends on what you mean by using router access-lists. You can run a firewall feature set on your router called CBAC (Content based access control) but i'm assuming you are not referring to this but just normal access-lists.

The big difference between using an access-list on a router and a firewall is something called "state". A firewall keeps track of the state of the connection. Generally speaking an access-list does not.

An example might help

When you telnet to a server the following packets are sent - note this is just concerned with the TCP flags

From your client to server TCP - SYN

From server back to client TCP - SYN/ACK

From client back to server TCP - ACK

This is known as the three way handshake and is used to setup all TCP connections. Once this had been setup data can then be exchanged down the connection.

So a firewall

1) sees the SYN from the client. It records the client IP address, port number and TCP flag eg.



Port 2376


and the server IP address and port number



Port 23 (telnet port)

It then forwards the packet on to the server (assuming the traffic is allowed)

2) The server then responds and sends a packet with the following details



Port 23

TCP flags - SYN/ACK



Port 2376

When the firewall sees this packet it looks in it's state table and finds the original entry from the client. Because the IP addresses and port numbers match up and because the TCP flags are as expected it allows the server packet back through.

Now imagine that somebody is trying to get past your firewall from the server. This time your client has not tried to telnet to the server so the firewall has no record in it's state table.

The server sends exactly the same packet as before with the TCP flags as SYN/ACK. This time when the firewall looks in it's state table it cannot find a corresponding entry so it drops the packet.

This is a large part of what stateful firewalls do.

Normal router access-lists do not keep state so each packet is seen in isolation. So there is no cross referencing with packets that have already gone through the router.

Hope this makes sense


Re: Diff in using Router and Firewall for controlling Access

There are many differences.

Router is a device dedicated for runing routing processes, managing neighbors & routing tables, & taking care of pkt forwarding decisions. Routers cpu & memory are supposed to be used efficiently for these processes. Though routers can support a part of packet filtering in terms of acl's & Natting, but not as efficient as firewalls do. Large No. of acl's on a router may consume a part of routers cpu thus compromising on the routing decisions.

On the other hand, firewalls provide stateful filtering of packets. they maintain a stateful table for all entries on the firewalls. They are also capable of Natting. In fact, firewalls resources are dedicated to these processes. Other than just packet filtering firewalls also support DMZ's, VPN support for client to site & site to site.

Thats why the 2 devices are separately used as dedicated routing & security devices.

hope that helps.

pls rate all helpful posts.


Re: Diff in using Router and Firewall for controlling Access

Also, firewall might have functions implemented in hardware, resulting in much higher performance.

Modern firewall is device built for:

- Statefull traffic analysis (see TCP example above)

- Fast NAT (hardware) of many many concurrent sessions

- VPN concentration

- Application inspection (check if application complies with RFC, so hackers could not hide as DNS or HTTP traffic)

and many others.

Just check out the comparison table of modern firewall:

Router on another hand is generic device, has PowerPC, Intel, Texas Instruments, etc. controllers, and run a software, the IOS, that has many functions. It is a SOFTWARE platform, an hence is flexible but slow.

Hope this helps