Traffic filters enable you to control whether router traffic is forwarded or blocked at the routers interfaces. You should use traffic filters to provide a basic level of security for accessing your network. If you do not configure traffic filters on your router, all traffic passing through the router could be allowed onto all parts of your network.
By setting up traffic filters at your router, you can control which traffic enters or leaves your network. Traffic filters are commonly used in firewalls. Typically, a router configured for traffic filtering is positioned between your internal network and an external network such as the Internet. Using traffic filtering routers enables you to control what traffic is allowed onto your internal network. By combining the routers filtering capabilities with that of a firewall, you can increase the security found in your network.
Traffic filtering services on Cisco devices are provided by access lists (also called filters). Access lists must be defined on a per-protocol basis. In other words, you should define access lists for every protocol enabled on an interface if you want to control traffic flow for that protocol. This section will cover the following topics:
The first section describes standard static access lists, which are the most commonly used type of access lists. Static access lists should be used with each routed protocol that you have configured for router interfaces. Lock-and-key security, available only for IP traffic, provides additional security functions.
Access lists can be used for many purposes. For example, access lists can be used to:
Access lists can be used for these and other purposes. However, not all uses are recommended as specific security measures. Only the first listed use, controlling packet transmission, is recommended as a valid security measure. The following sections describe how to use access lists to control packet transmission.
Configuring Access Lists for Specific Protocols
To control packet transmission for a given protocol, you must configure an access list for that protocol. Table 10-1 identifies the protocols for which you can configure access lists.
You must identify every access list by either a name or a number. You assign this name or number to each access list when you define the access list. Access lists of certain protocols must be identified by names, and access lists of other protocols must be identified by numbers. Some protocols can be identified by either names or numbers. When a number is used to identify an access list, the number must be within the specific range of numbers that is valid for the protocol.
Table 10-1 lists protocols that use access lists specified by numbers, and also includes the range of access list numbers that is valid for each protocol. Entries in italics indicate protocols for which you have the option of identifying access lists by names.
Although each protocol has its own set of specific tasks and rules required for you to provide traffic filtering, in general, most protocols require at least two steps to be accomplished. The first step is to create an access list definition, and the second step is to apply the access list to an interface.
Creating Access Lists
Access list definitions provide a set of criteria that are applied to each packet that is processed by the router. The router decides whether to forward or block each packet based on whether or not the packet matches the access list criteria.
Typical criteria defined in access lists are packet source addresses, packet destination addresses, or upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can be defined.
For a given access list, you define each criteria in separate access list statements. These statements specify whether to block or forward packets that match the criteria listed. An access list, then, is the sum of individual statements that all share the same identifying name or number.
The order of access list statements is important. When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order the statements were created. After a match is found, no more criteria statements are checked.