Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Question on access-list

Router is a layer 3 or 4 device if your ans is layer 3 then while applying an extended access list on router interface how specifying port no is aloud as it comes under layer 4 protocols?

example:

access-list 101 permit tcp any any eq ftp

access-list 102 permit tcp any any eq bgp

Summary : Extended access-list check IP packet on stateful or stateless nature?

-m

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Re: Question on access-list

m

I do not understand what you are trying to accomplish in your post. Part of it seems to be about whether a router is a layer 3 or layer 4 device. The answer is that a router operates at both layer 3 and layer 4. It makes forwarding decisions based on layer 3 information (destination layer 3 address) and is also aware of layer 4 information (what transport protocol is used and what source and destination ports). So an extended access list is able to match on both source and destination IP address and also on transport protocol and protocol port.

You also seem to be asking whether an access list is stateful or stateless in nature. The best answer is that it depends somewhat on how the access list is being used. Most IOS access lists do not maintain state information and their examination of traffic is stateless. But access lists used in the context of CBAC or IOS firewall do operate in a more stateful manner.

HTH

Rick

Cisco Employee

Re: Question on access-list

Hello,

The access-lists on the routers are stateless. Even though the access-list operates on layer 4 information, it will not remember about the traffic it has allowed/denied. So, if there is another packet belonging to the same stream comes in, the router has to again look at the access-list and see if that packet is allowed or not. In a stateless firewall, you need rules for both incoming and return traffic (if you are applying access-lists on both outside and inside interface) whereas in a statefull firewall, you just need one access-list allowing incoming requests. The firewall will dynamically open and allow return traffic.

Hope this helps.

Regards,

NT

5 REPLIES
Hall of Fame Super Silver

Re: Question on access-list

m

I do not understand what you are trying to accomplish in your post. Part of it seems to be about whether a router is a layer 3 or layer 4 device. The answer is that a router operates at both layer 3 and layer 4. It makes forwarding decisions based on layer 3 information (destination layer 3 address) and is also aware of layer 4 information (what transport protocol is used and what source and destination ports). So an extended access list is able to match on both source and destination IP address and also on transport protocol and protocol port.

You also seem to be asking whether an access list is stateful or stateless in nature. The best answer is that it depends somewhat on how the access list is being used. Most IOS access lists do not maintain state information and their examination of traffic is stateless. But access lists used in the context of CBAC or IOS firewall do operate in a more stateful manner.

HTH

Rick

Bronze

Re: Question on access-list

Hi Rick

I am more interested in stateful and stateless nature of access-list, so when we configure extended access-list as " access-list 101 permit TCP any any eq ftp" in router in that case should it consider as stateless or stateful access-list ? please clarify..

Reason i am confuse because source and destination works on layer 3 while "FTP" works of application layer 7.

thank

Minu

Cisco Employee

Re: Question on access-list

Hello,

The access-lists on the routers are stateless. Even though the access-list operates on layer 4 information, it will not remember about the traffic it has allowed/denied. So, if there is another packet belonging to the same stream comes in, the router has to again look at the access-list and see if that packet is allowed or not. In a stateless firewall, you need rules for both incoming and return traffic (if you are applying access-lists on both outside and inside interface) whereas in a statefull firewall, you just need one access-list allowing incoming requests. The firewall will dynamically open and allow return traffic.

Hope this helps.

Regards,

NT

Hall of Fame Super Silver

Re: Question on access-list

Minu

NT has provided a good answer about stateful/stateless and I would like to clarify a few things. If it were stateful the access list would remember things about previous packets (was there a successful three way handshake to initiate the TCP session, has there been a FIN or a RST to terminate the TCP session, etc). But the access list just looks at the current packet without any knowledge of other packets, so the access list is stateless.

Also when you say:"source and destination works on layer 3 while "FTP" works of application  layer 7." is not quite right. The source and destination addresses are certainly layer 3. But the FTP is looking at the transport layer port numbers and is operating at the transport layer and not at the application layer.

HTH

Rick

New Member

Re: Question on access-list

Dear minumathur ,

Router is the device which uses Layer 3,4,5 sunctions like wise switch will also works for Layer 3 and layer 4 functions. e.g. 3560/3750/4500/6500 switches . Switch is Layer 2 device than also L3 configuration routing can be done on switch. Same way Router can also.

Hope now it's clear.

Rate the helpful post.

Regards,

2158
Views
0
Helpful
5
Replies