Полезная информация


Table of Contents

Configuring Traffic Filters

Configuring Traffic Filters

This chapter describes how to use traffic filters at your router to control network access.

Traffic filters allow you to control whether router traffic is forwarded or blocked at the router's interfaces. You should use traffic filters to provide a basic level of security for accessing your network. If you do not configure traffic filters on your router, all traffic passing through the router could be allowed onto all parts of your network.

By setting up traffic filters at your router, you can control which traffic enters or leaves your network. Traffic filters are commonly used in "firewalls." Typically, a router configured for traffic filtering is positioned between your internal network and an external network such as the Internet. Using traffic filtering routers allows you to control what traffic is allowed onto your internal network.

Traffic filtering services on Cisco devices are provided by access lists (also called "filters"). Access lists must be defined on a per-protocol basis. In other words, you should define access lists for every protocol enabled on an interface if you want to control traffic flow for that protocol.

This chapter includes the following two sections:

The first section describes standard, static access lists, which are the most commonly used type of access lists. Static access lists should be used with each routed protocol that you have configured for router interfaces.

Lock-and-Key Security, available only for IP traffic, provides additional security functions.

Access Lists

Access lists can be used for many purposes. For example, access lists can be used to:

Access lists can be used for these and other purposes. However, not all uses are recommended as specific security measures. Only the first listed use, controlling packet transmission, is recommended as a valid security measure. The following sections describe how to use access lists to control packet transmission.

Configuring Access Lists for Specific Protocols

To control packet transmission for a given protocol, you must configure access lists for that protocol.

Table 7 and Table 8 identify the protocols for which you can configure access lists.

You should consider configuring access lists for each protocol that you have configured for an interface.

You must identify all access lists by either a name or a number. You assign this name or number to each access list when you define the access list. Access lists of certain protocols must be identified by a name, and access lists of other protocols must be identified by a number. Some protocols can be identified by either a name or a number. When a number is used to identify an access list, the number must be within the specific range of numbers that is valid for the protocol.

Table 7 lists protocols that use access lists specified by names.

Table 7: Protocols with Access Lists Specified by Names

Apollo Domain


Extended IP


Source-route bridging NetBIOS


Table 8 lists protocols that use access lists specified by numbers, and also includes the range of access list numbers that is valid for each protocol.

Table 8: Protocols with Access Lists Specified by Numbers
Protocol Range


1 to 99

Extended IP

100 to 199

Ethernet type code

200 to 299

Ethernet address

700 to 799

Transparent bridging (protocol type)

200 to 299

Transparent bridging (vendor code)

700 to 799

Extended transparent bridging

1100 to 1199

DECnet and extended DECnet

300 to 399


400 to 499

Extended XNS

500 to 599


600 to 699

Source-route bridging (protocol type)

200 to 299

Source-route bridging (vendor code)

700 to 799


800 to 899

Extended IPX

900 to 999


1000 to 1099

Standard VINES

1 to 100

Extended VINES

101 to 200

Simple VINES

201 to 300

Although each protocol has its own set of specific tasks and rules required for you to provide traffic filtering, in general most protocols require at least two steps to be accomplished. The first step is to create an access list definition, and the second step is to apply the access list to an interface. (Note that some protocols refer to access lists as "filters," and some protocols refer to the act of applying the access lists to interfaces as "filtering.")

Creating Access Lists (Overview)

Access list definitions provide a set of criteria which are applied to each packet that is processed by the router. The router decides whether to forward or block each packet based on whether or not the packet matches the access list criteria.

Typical criteria defined in access lists are packet source addresses, packet destination addresses, or upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can be defined.

For a given access list, you define each criteria in separate access list statements. These statements specify whether to block or forward packets that match the criteria listed. An access list, then, is the sum of individual statements that all share the same identifying name or number.

Note that each additional criteria statement that you enter is appended to the end of the access list statements. Also, you cannot delete individual statements after they have been created. You can only delete an entire access list.

The order of access list statements is important. When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order the statements were created. After a match is found, no more criteria statements are checked.

If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.

At the end of every access list is an implied "deny all traffic" criteria statement. Therefore, if a packet does not match any of your criteria statements, the packet will be blocked.

Creating Access List Statements on a tftp Server

Because the order of access list statements is important, and because you cannot reorder or delete statements, we recommend that you create all access list statements on a tftp server, and then download the entire access list to your router.

To do this, create the access list statements using any text editor, and save the access list in ASCII format to a tftp server that is accessible by your router. Then, from your router, use the copy tftp running-config file_id command to copy the access list to your router. Finally, perform the copy running-config startup-config command to save the access list to your router's NVRAM.

Then, if you ever want to make changes to an access list, you can make them to the text file on the tftp server, and copy the edited file to your router as before. Note that the first command of an edited file should delete the previous access list (for example, type a no access-list command at the beginning of the file). If you do not first delete the previous version of the access list, when you copy the edited file to your router you will merely be appending additional criteria statements to the end of the existing access list.

Applying Access Lists to Interfaces (Overview)

You can apply only one access list to an interface for a given protocol.

With most protocols, you can apply access lists to interfaces as either inbound or outbound. If the access list is inbound, when the router receives a packet the Cisco IOS software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.

If the access list is outbound, after receiving and routing a packet to the outbound interface, the software checks the access list's criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.

Note For most protocols, if you define an inbound access list for traffic filtering, you should include explicit access list criteria statements to permit routing updates. If you do not, you might effectively lose communication from the interface when routing updates are blocked by the implicit "deny all traffic" statement at the end of the access list.

Finding Protocol-Specific Information about Access Lists

The guidelines discussed previously apply in general to all protocols. However, the specific guidelines for creating access lists and applying them to interfaces vary from protocol to protocol. See the appropriate protocol-specific chapters in the Cisco IOS configuration guides and command references for detailed task information on each protocol-specific access list.

Lock-and-Key Security (Dynamic Access Lists)

To authorize remote access to local services, a common security solution is to create access lists, as discussed previously. Standard and static extended access lists have the following limitations:

An improved security solution is the lock-and-key access feature, which is available only with IP extended access lists. Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process. You can allow user access through a firewall dynamically, without compromising security restrictions.

Caution Enhancements to the access-list command are backward compatible; migrating from releases prior to Cisco  IOS  Release 11.1 converts your access lists automatically. However, releases prior to Cisco  IOS  Release 11.1 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Cisco  IOS  Release 11.1, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration files before booting these images.

Note In Cisco IOS Release 11.1 software, lock-and-key access is dependent on Telnet. Standard Telnet is the required application on the host platform that activates the authentication process.

Implementation Considerations of Lock-and-Key Access

Caution Lock-and-key access allows an external event to place an opening in the firewall. After this opening exists, the router is susceptible to source address spoofing. To prevent this, you need to provide encryption support using IP encryption with authentication or encryption. This issue is discussed further in this section. Spoofing is a problem with all existing access-lists. Lock-and-key access does not address this problem.

Because lock-and-key access introduces a potential pathway through your network firewall, you need to evaluate the following serious considerations:

Two examples of when you might use lock-and-key access are as follows:

The following process describes the lock-and-key access operation:

    1. A user opens a Telnet session to a border router configured for lock-and-key access.

    2. The Cisco IOS software receives the Telnet packet and performs a user authentication process. The user must pass authentication before access is allowed. The authentication process can be done by the router or a central access server such as a TACACS+ or a Radius server.

Note It is highly recommended that you use the TACACS+ server for your authentication query process. TACACS+ provides authentication, authorization, and accounting services. It also provides protocol support, protocol specification, and a centralized security database.

    3. When the user passes authentication, the software creates a temporary entry in the dynamic access list. The temporary entry inherits the attributes of the main dynamic access list. You can limit the range of networks to which the user is given temporary access.

    4. The user exchanges data through the firewall and then logs out.

    5. The software deletes the temporary access list entry when a configured timeout is reached, or when the system administrator manually clears it. The timeout can either be an Idle-timeout or an Absolute-timeout.

Note When the user terminates a session, the temporary access list entry remains until a configured timeout is reached or until it is cleared by the system administrator.

To configure lock-and-key access, perform the following tasks (Step 1 through Step 6) beginning in global configuration mode:
Task Command

Step 1 Configure a dynamic access list, which serves as a template and place holder for temporary access list entries.

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log] 1

Step 2 Configure an interface.

interface type number 2

Step 3 In interface configuration mode, apply the access list to the interface.

ip access-group access-list-number 3

Step 4 In global configuration mode, define one or more virtual terminal (VTY) ports. If you specify multiple VTY ports, they must all be configured identically because the software hunts for available VTY ports on a round-robin basis. If you do not want to configure all your VTY ports for lock-and-key access, you can specify a group of VTY ports for lock-and-key support only.

line VTY line-number [ending-line-number] 4

Step 5 Configure user authentication.

login tacacs


username name password secret


password password
login local

Step 6 Enable the creation of temporary access list entries. If the host argument is not specified, all hosts on the entire network are allowed to set up a temporary access list entry. The dynamic access list contains the network mask to enable the new network connection.

autocommand access-enable [host] [timeout minutes]

1This command is documented in the "IP Commands" chapter of the Network Protocols Command Reference, Part 1.
2This command is documented in the "Interface Commands" chapter of the Configuration Fundamentals Command Reference.
3This command is documented in the "IP Commands" chapter of the Network Protocols Command Reference, Part 1.
4This command is documented in the "Terminal Lines and Modem Commands" chapter of the Access Services Command Reference.

There are three possible methods to configure an authentication query process (see Step 5 in the previous task list):

Router# login tacacs
Router# username name password password
Router# password password
Router# login local

For an example of lock-and-key access, see the section "Lock-and-Key Access Example" later in this chapter.

Follow these guidelines when you configure dynamic access lists:

When you create dynamic access lists, remember the following:

To manually clear or to display dynamic access lists, refer to the section "Monitor and Maintain Dynamic Access Lists" in this chapter.

User authentication is successful when the following router events occur:

You can verify that this operation is successful on the router by:

The following sample display illustrates what the end-user might see after successfully completing the authentication process. Notice that the connection was closed immediately after the password was entered and authenticated. The temporary access list entry has already been created, and the host that initiated the Telnet session has access inside the firewall.

Router% telnet corporate
Trying ...
Connected to corporate.abc.com.
Escape character is `^]'.
User Access Verification
Password:Connection closed by foreign host.

For an example of lock-and-key access, see the "Lock-and-Key Access Example" at the end of this chapter.

Monitor and Maintain Dynamic Access Lists

To manually delete a temporary access list entry, perform the following task in privileged EXEC mode:
Task Command

Delete a dynamic access list.

clear access-template [access-list-number | name] [dynamic-name] [source] [destination]

You can display temporary access list entries when they are in use. After a temporary access list entry is cleared by you or by the absolute or idle timeout parameter, it can no longer be displayed. The number of matches displayed indicates the number of times the access list entry was hit.

To view dynamic access lists and any temporary access list entries that are currently established, perform the following task in privileged EXEC mode:
Task Command

Display dynamic access lists and temporary access list entries.

show access-lists [access-list-number] 1

1This command is documented in the "IP Commands" chapter of the Network Protocols Command Reference, Part 1.

Lock-and-Key Access Example

The following example shows how to configure lock-and-key access. Lock-and-key access is configured on the BRI0 interface. Four VTY ports are defined with the password "cisco."

aaa authentication login default tacacs+ enable
aaa accounting exec stop-only tacacs+
aaa accounting network stop-only tacacs+
enable password ciscotac
isdn switch-type basic-dms100
interface ethernet0
ip address
interface BRI0
  ip address
  encapsulation ppp
  dialer idle-timeout 3600
  dialer wait-for-carrier-time 100
  dialer map ip name diana
  dialer-group 1
  isdn spid1 2036333715291
  isdn spid2 2036339371566
  ppp authentication chap
  ip access-group 102 in
access-list 102 dynamic testlist timeout 5 permit ip any any
access-list 102 permit tcp any host eq 23
ip route
priority-list 1 interface BRI0 high
tacacs-server host
tacacs-server host
tacacs-server key test1
tftp-server rom alias all
dialer-list 1 protocol ip permit
line con 0
  password cisco
line aux 0
line VTY 0 4
autocommand access-enable
password cisco

Copyright 1989-1998 © Cisco Systems Inc.