08-01-2010 11:17 PM - edited 03-06-2019 12:16 PM
Hello
Are the ACLs in Catalyst 3560 works like stateful or stateless firewall in latest software version?
Solved! Go to Solution.
08-02-2010 08:12 AM
alexandrfedchenko wrote:
Hello
Are the ACLs in Catalyst 3560 works like stateful or stateless firewall in latest software version?
Alexandr
Standard and extended acls on all devices are stateless ie. they check each packet in isolation. You can use the keyword "established" in an extended acl for TCP connections to check the syn/ack in the packets and you can use reflexive access-lists which are a little more stateful although i'm not sure the 3560 supports reflexive acls.
Jon
08-02-2010 05:30 AM
AFAIK if you use reflexive ACL then it is statefull, if you use the normal ACL then it would be stateless.
08-02-2010 08:12 AM
alexandrfedchenko wrote:
Hello
Are the ACLs in Catalyst 3560 works like stateful or stateless firewall in latest software version?
Alexandr
Standard and extended acls on all devices are stateless ie. they check each packet in isolation. You can use the keyword "established" in an extended acl for TCP connections to check the syn/ack in the packets and you can use reflexive access-lists which are a little more stateful although i'm not sure the 3560 supports reflexive acls.
Jon
08-02-2010 11:16 PM
i'm not sure the 3560 supports reflexive acls
No, it isn't.
The switch does not support these Cisco IOS router ACL-related features:
•Non-IP protocol ACLs (see Table 34-1) or bridge-group ACLs
•IP accounting
•Inbound and outbound rate limiting (except with QoS ACLs)
•Reflexive ACLs or dynamic ACLs (except for some specialized dynamic ACLs used by the switch clustering feature)
•ACL logging for port ACLs and VLAN maps
Many thanks to all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide