Filter IP Packets

Packet filtering helps control packet movement through the network. Such control can help bound network traffic and limit network use by certain users or devices. To allow or reject packets from crossing specified router interfaces, we give access lists.

You can use access lists in several ways:

• To control the transmission of packets on an interface

• To control virtual terminal line access

• To restrict contents of routing updates

This section summarizes how to make access lists and how to apply them.

An access list is a sequential collection of permit and reject conditions that apply to IP addresses. The router tests addresses against the conditions in an access list one by one. The first match determines whether the router accepts or rejects the address. Because the router stops testing conditions after the first match, the order of the conditions is vital. If no conditions match, the router rejects the address.

The two steps involved in using access lists are as follows:

Step 1 Create an access list by specifying an access list number and access conditions.

Step 2 Apply the access list to interfaces or terminal lines.

These steps are described in the next sections.

Create Standard Access Lists

The software supports two types of access lists for IP:

• Standard IP access lists use source addresses for matching operations.

• Extended IP access lists use source and destination addresses for matching operations, as well as optional protocol type information for finer granularity of control.

After an access list is created initially, any succeeding additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.

Keep in mind when making the standard and extended access list that by default, the end of the access list contains an inherent deny statement for everything if it did not find a match before reaching the end. Further, with standard access lists, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask.

Apply an Access List to an Interface or Terminal Line

After an access list is created, you can apply it to one or more interfaces. Access lists can be applied on either outbound or inbound interfaces. The following two tables show how this task is accomplished for both terminal lines and network interfaces.

Independent switching is not used when you have extended access lists.

For inbound access lists, after receiving a packet, the router checks the source address of the packet against the access list. If the access list permits the address, the router continues to process the packet. If the access list rejects the address, the router discards the packet and returns an ICMP Host Unreachable message.

For outbound access lists, after receiving and routing a packet to a controlled interface, the router checks the source address of the packet against the access list. If the access list permits the address, the router transmits the packet. If the access list rejects the address, the router discards the packet and returns an ICMP Host Unreachable message.

When you apply an access list (standard or extended) that has not yet been defined to an interface, the router will act as if the access list has not been applied to the interface and will accept all packets. Remember this behavior if you use undefined access lists as a means of protection in your network.

Set identical restrictions on all the virtual terminal lines, because a user can attempt to connect to any of them.