INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Cisco Config Best Practices

Egress Filtering with Simple Access-lists by ewiley
Posted: 26 May 03

Egress filtering is often ignored, but is important for the health of the Internet. Basically the idea is that you only allow packets that originate from IP addresses that you are assigned to exit your router. This prevents worms like Slammer and their ilk from spreading. It also helps to prevent your network from becoming a spoofed DDoS participant. Generally, your ISP is supposed to egress filter, but they don't always.. and doing it yourself prevents your own bandwidth from getting saturated by worms and spoofed DDoS's.

The filter is very easy to setup and deploy. NOTE: Test on lab equipment first, and make changes to access-lists from a console, if possible, since applying the ACL to the interface you're connected through may disconnect your telnet session! The last thing you want is to accidentally replace a permit statement with deny, then not be able to correct it after you've applied the access-list! (I'm not going to be responsible if you shut down your production T1!)

Anyway, for this example, assume your assigned IP range is 10.1.1.0/24 and your Serial0/0 interface points to the Internet (your ISP) and has an ip address of 172.16.1.2.

access-list 10 permit 10.1.1.0 0.0.0.255
! implied deny at the end

interface Serial0/0
 ip address 172.16.1.2 255.255.255.252
 ip access-group 10 out

That's it! You might want to include your serial interface's IP address in the ACL if you want to be able to ping it from the outside.

Caveat:
If you're running NAT from a seperate firewall/gateway, you should not need to add your inside addresses to the list. The router should see the source as a translated global address. If you're running NAT on the router itself, you'd need to apply the ACL as outgoing on the outside interface (rather than incoming on an inside interface) or modify the ACL.

Egress routing is appropriate for any router in your network. Be aware that it does not always scale very well, and needs to be planned well so you don't accidentally block packets from multiple hops away. Egress filtering is most appropriate for and should be applied at a minimum to routers facing the Internet (i.e. your upstream ISP).

Back to Cisco: Routers FAQ Index
Back to Cisco: Routers Forum

My Archive

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close