Introduction

Traffic filtering controls the type of traffic that can be forwarded to and from a network. This function enforces security policies in a specific point on a network, often between networks with different level of security.

This chapter covers the different traffic filtering mechanisms available in Cisco IOS and Cisco Secure Integrated Software. In the simplest case, IP filtering consists of an access list that permits or denies traffic based on the source or destination IP address.

Often, however, basic traffic filtering is not sufficient to provide adequate security in a network. Today, modern security products provide more control over the network traffic entering and exiting the network. To achieve that, the traffic must be inspected and the state of the connection must be kept. These advanced features require the router or firewall to understand the internal workings of the protocol it is trying to secure.

Access Lists

A very important step to security is the capability to control the flow of data within a network. A way to accomplish this is to utilize one of the many features of the Cisco Internetwork Operating System (IOS), known as an access list. The function of an access list will depend of the context in which it is used. For instance, access lists can:

• Control access to networks attached to a router or define a particular type of traffic that is allowed to pass to and from a network.
• Limit the contents of routing updates that are advertised by various routing...