Introduction

Traffic filtering consists of controlling the type of traffic that can be forwarded to and from a network. This function is used to enforce security policies at a specific point on a network, often between networks with different levels of security.

This chapter will cover the different traffic filtering mechanisms available in Cisco Internetwork Operating System (IOS) and Cisco Secure Integrated Software. In the simplest case, IP filtering can consist of an access list that permits or denies traffic based on the source or destination IP address. Very often, basic traffic filtering does not provide sufficiently adequate security in a network. Today, modern security products provide more control over the network traffic entering and exiting the network. To achieve that, the traffic must be inspected and the state of the connection must be kept. These advanced features require the router or firewall to understand the internal workings of the protocol it is trying to secure.

There are several types of access lists available with the Cisco IOS: Standard, Extended, Lock and Key, and Named. Standard access lists allow for a very basic set of parameters. This includes things such as permit, deny, source-address, and wildcard mask. Extended access lists expand upon the standard list by adding support for protocol, operator port, and precedence, among others.

Lock and Key access lists (first seen in IOS version 11.1) are also referred to as Dynamic access lists. The basic operating premise is to dynamically allow traffic from authenticated sources. This type of...