Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
619
Views
0
Helpful
3
Replies

Access lise implementation for layer 4

Go to solution
iamtheone12345
Level 1
Level 1

‎10-27-2012 04:00 AM - edited ‎03-04-2019 05:59 PM

                   Hi Guys,

I have a question.We all know the OSI model has 7 layers.

Application

presentation

Session

transport

Network

datalink and physical

Tranport layer PDU is called Segment.When a host sends data the first 3 layers send the data down to the transport layer.

The transport layer adds a segment header to the data and sends the segment it to network layer.The network layer encapsulates the segment header and data with a ip header and passes the packet it to data link layer.The data link layer encapulates the ip header with a frame header and trailer nad passes the frame to the physical layer.The physcial layer transmits the frame in form of bits on the wire.We know the port information is acutally on the transport layer segment header,

When a router on the network recieves this frame  ,it rips of the frame header and inspects the ip packet to see the source and destination ip address.

MY question is suppose the router has an access list(inbound) to block a ip packets source ip x.x.x.x. any port to destination ip x.x.x.x port 80,Since it doesnt have visibility to the transport layer which has the port ino how does the router decide to filter the packet even though the ip packet doesnt have port information.The ip packet encapsulates the segment header?

May be my concept of OSI model isnt clear.Anybody is welcome to teach me.

Thanks guys

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎10-27-2012 04:29 AM

There are two diffent things. The first is how the packet is "transported" from the ingress-interface to the egress-interface. That is done by looking at the information in layer 2 if the device is a "normal" switch, and by looking at the information at layer 3 if the device is a router (or layer 3 switch, which is also a router).

But just because the routing is done with the information of layer 3, it doesn't mean that the device couldn't do more. So if you have an ACL, the router also looks for the information at layer 4. But that is normally not used for routing. The router can also look at the information at the application-layer for some protocols. That is commonly used for the firewall-feature of the router.

And also a L2-switch like the 2960 can not also forward the frames based on MAC-addresses. For more control over the communication the switch can also filter on L3 and L4 and also inspect some protocols on L7 (like DHCP). But the forwarding (switching) is still based on the L2-information.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎10-27-2012 04:29 AM

There are two diffent things. The first is how the packet is "transported" from the ingress-interface to the egress-interface. That is done by looking at the information in layer 2 if the device is a "normal" switch, and by looking at the information at layer 3 if the device is a router (or layer 3 switch, which is also a router).

But just because the routing is done with the information of layer 3, it doesn't mean that the device couldn't do more. So if you have an ACL, the router also looks for the information at layer 4. But that is normally not used for routing. The router can also look at the information at the application-layer for some protocols. That is commonly used for the firewall-feature of the router.

And also a L2-switch like the 2960 can not also forward the frames based on MAC-addresses. For more control over the communication the switch can also filter on L3 and L4 and also inspect some protocols on L7 (like DHCP). But the forwarding (switching) is still based on the L2-information.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
iamtheone12345
Level 1
Level 1
In response to Karsten Iwen

‎10-27-2012 06:06 AM

Hi Karsten,

Thank you for taking your time to explain the answer.Your answer seems to be logical and makes sense.What i am surprised is that the cisco documentation on swicthes and routers are very misleading.They claim that swicth is a layer 2 device and router is a layer 3 device.Clearly its just their normal operation.They could certainly do more!!!!!!

Thank you gain.

Regards,

Arjun Das

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to iamtheone12345

‎10-27-2012 09:35 AM

Well, the documentation is right in that because the main purpose of a switch or a router is to forward traffic. And that is done on layer 2 or 3. The rest is just an "ad-on".

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card