Configuring Traffic Filters

This chapter describes how to use traffic filters at your router to control network access.

Traffic filters allow you to control whether router traffic is forwarded or blocked at the router's interfaces. You should use traffic filters to provide a basic level of security for accessing your network. If you do not configure traffic filters on your router, all traffic passing through the router could be allowed onto all parts of your network.

By setting up traffic filters at your router, you can control which traffic enters or leaves your network. Traffic filters are commonly used in "firewalls." Typically, a router configured for traffic filtering is positioned between your internal network and an external network such as the Internet. Using traffic filtering routers allows you to control what traffic is allowed onto your internal network.

Traffic filtering services on Cisco devices are provided by access lists (also called "filters"). Access lists must be defined on a per-protocol basis. In other words, you should define access lists for every protocol enabled on an interface if you want to control traffic flow for that protocol.

This chapter includes the following two sections:

The first section describes standard, static access lists, which are the most commonly used type of access lists. Static access lists should be used with each routed protocol that you have configured for router interfaces.

Lock-and-Key Security, available only for IP traffic, provides additional security functions.

Access Lists

Access lists can be used for many purposes. For example, access lists can be used to:

Control the transmission of packets on an interface
Control virtual terminal line access
Restrict contents of routing updates

Access lists can be used for these and other purposes. However, not all uses are recommended as specific security measures. Only the first listed use, controlling packet transmission, is recommended as a valid security measure. The following sections describe how to use access lists to control packet transmission.

Configuring Access Lists for Specific Protocols

To control packet transmission for a given protocol, you must configure access lists for that protocol.

Table 7 and Table 8 identify the protocols for which you can configure access lists.

You should consider configuring access lists for each protocol that you have configured for an interface.

You must identify all access lists by either a name or a number. You assign this name or number to each access list when you define the access list. Access lists of certain protocols must be identified by a name, and access lists of other protocols must be identified by a number. Some protocols can be identified by either a name or a number. When a number is used to identify an access list, the number must be within the specific range of numbers that is valid for the protocol.

Table 7 lists protocols that use access lists specified by names.

**Table 7: Protocols with Access Lists Specified by Names**
Protocol
Apollo Domain
IP
Extended IP
ISO CLNS
Source-route bridging NetBIOS
NetBIOS IPX

Table 8 lists protocols that use access lists specified by numbers, and also includes the range of access list numbers that is valid for each protocol.

**Table 8: Protocols with Access Lists Specified by Numbers (Continued)**
Protocol	Range
IP	1 to 99
Extended IP	100 to 199
Ethernet type code	200 to 299
Ethernet address	700 to 799
Transparent bridging (protocol type)	200 to 299
Transparent bridging (vendor code)	700 to 799
Extended transparent bridging	1100 to 1199
DECnet and extended DECnet	300 to 399
XNS	400 to 499
Extended XNS	500 to 599
AppleTalk	600 to 699
Source-route bridging (protocol type)	200 to 299
Source-route bridging (vendor code)	700 to 799
IPX	800 to 899
Extended IPX	900 to 999
IPX SAP	1000 to 1099
Standard VINES	1 to 100
Extended VINES	101 to 200
Simple VINES	201 to 300

Although each protocol has its own set of specific tasks and rules required for you to provide traffic filtering, in general most protocols require at least two steps to be accomplished. The first step is to create an access list definition, and the second step is to apply the access list to an interface. (Note that some protocols refer to access lists as "filters," and some protocols refer to the act of applying the access lists to interfaces as "filtering.")

Creating Access Lists (Overview)

Access list definitions provide a set of criteria which are applied to each packet that is processed by the router. The router decides whether to forward or block each packet based on whether or not the packet matches the access list criteria.

Typical criteria defined in access lists are packet source addresses, packet destination addresses, or upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can be defined.

For a given access list, you define each criteria in separate access list statements. These statements specify whether to block or forward packets that match the criteria listed. An access list, then, is the sum of individual statements that all share the same identifying name or number.

Note that each additional criteria statement that you enter is appended to the end of the access list statements. Also, you cannot delete individual statements after they have been created. You can only delete an entire access list.

The order of access list statements is important. When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order the statements were created. After a match is found, no more criteria statements are checked.

If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries.

At the end of every access list is an implied "deny all traffic" criteria statement. Therefore, if a packet does not match any of your criteria statements, the packet will be blocked.

Creating Access List Statements on a tftp Server

Because the order of access list statements is important, and because you cannot reorder or delete statements, we recommend that you create all access list statements on a tftp server, and then download the entire access list to your router.

To do this, create the access list statements using any text editor, and save the access list in ASCII format to a tftp server that is accessible by your router. Then, from your router, use the copy tftp running-config file_id command to copy the access list to your router. Finally, perform the copy running-config startup-config command to save the access list to your router's NVRAM.

Then, if you ever want to make changes to an access list, you can make them to the text file on the tftp server, and copy the edited file to your router as before. Note that the first command of an edited file should delete the previous access list (for example, type a no access-list command at the beginning of the file). If you do not first delete the previous version of the access list, when you copy the edited file to your router you will merely be appending additional criteria statements to the end of the existing access list.

Applying Access Lists to Interfaces (Overview)

You can apply only one access list to an interface for a given protocol.

With most protocols, you can apply access lists to interfaces as either inbound or outbound. If the access list is inbound, when the router receives a packet the Cisco IOS software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.

If the access list is outbound, after receiving and routing a packet to the outbound interface, the software checks the access list's criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.

Note For most protocols, if you define an inbound access list for traffic filtering, you should include explicit access list criteria statements to permit routing updates. If you do not, you might effectively lose communication from the interface when routing updates are blocked by the implicit "deny all traffic" statement at the end of the access list.

Finding Protocol-Specific Information about Access Lists

The guidelines discussed previously apply in general to all protocols. However, the specific guidelines for creating access lists and applying them to interfaces vary from protocol to protocol. See the appropriate protocol-specific chapters in the Cisco IOS configuration guides and command references for detailed task information on each protocol-specific access list.

Lock-and-Key Security (Dynamic Access Lists)

To authorize remote access to local services, a common security solution is to create access lists, as discussed previously. Standard and static extended access lists have the following limitations:

They can create the opportunity for break-ins by network hackers.
They are difficult to manage in a large internetwork.
They require the router to do excess processing, depending on entries in the access list.
They do not offer a challenge mechanism to authenticate individual users.

An improved security solution is the lock-and-key access feature, which is available only with IP extended access lists. Lock-and-key access allows you to set up dynamic access lists that grant access per user to a specific source/destination host through a user authentication process. You can allow user access through a firewall dynamically, without compromising security restrictions.

Caution Enhancements to the access-list command are backward compatible; migrating from releases prior to Cisco IOS Release 11.1 converts your access lists automatically. However, releases prior to Cisco IOS Release 11.1 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Cisco IOS Release 11.1, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration files before booting these images.

Note In Cisco IOS Release 11.1 software, lock-and-key access is dependent on Telnet. Standard Telnet is the required application on the host platform that activates the authentication process.

Implementation Considerations of Lock-and-Key Access

Caution Lock-and-key access allows an external event to place an opening in the firewall. After this opening exists, the router is susceptible to source address spoofing. To prevent this, you need to provide encryption support using IP encryption with authentication or encryption. This issue is discussed further in this section. Spoofing is a problem with all existing access-lists. Lock-and-key access does not address this problem.

Because lock-and-key access introduces a potential pathway through your network firewall, you need to evaluate the following serious considerations:

Primary consideration is dynamic access. Another host, spoofing your authenticated address, might gain access behind the firewall. With dynamic access, there is the possibility that an unauthorized host, spoofing your authenticated address, can gain access behind the firewall. Lock-and-key access does not cause the address spoofing problem. The problem is only identified here as a concern to the user.
Performance is affected in the following two situations:
- Each dynamic access list forces an access-list rebuild on the silicon switching engine (SSE). This causes the SSE switching path to slow down momentarily.
- Dynamic access lists require the idle timeout facility (even if the timeout is left to default) and therefore cannot be SSE switched. These entries must be handled in the protocol fast-switching path.
Pay close attention to the border router configurations. Remote users create access list entries on the border router. The access list will grow and shrink dynamically. Entries are dynamically removed from the list after either the idle-timeout or max-timeout period expires. Large access lists degrade packet switching performance.

Two examples of when you might use lock-and-key access are as follows:

When you want a remote host to be able to access a host in your internetwork via the Internet. Lock-and-key access limits access beyond your firewall on an individual host or net basis.
When you want a subset of hosts on a network to access a host on a remote network protected by a firewall. With lock-and-key access, you can enable only a desired set of hosts to gain access by having them authenticate through a TACACS+ server.

The following process describes the lock-and-key access operation:

A user opens a Telnet session to a border router configured for lock-and-key access.
The Cisco IOS software receives the Telnet packet and performs a user authentication process. The user must pass authentication before access is allowed. The authentication process can be done by the router or a central access server such as a TACACS+ or a Radius server.

Note It is highly recommended that you use the TACACS+ server for your authentication query process. TACACS+ provides authentication, authorization, and accounting services. It also provides protocol support, protocol specification, and a centralized security database.

When the user passes authentication, the software creates a temporary entry in the dynamic access list. The temporary entry inherits the attributes of the main dynamic access list. You can limit the range of networks to which the user is given temporary access.
The user exchanges data through the firewall and then logs out.
The software deletes the temporary access list entry when a configured timeout is reached, or when the system administrator manually clears it. The timeout can either be an Idle-timeout or an Absolute-timeout.

Note When the user terminates a session, the temporary access list entry remains until a configured timeout is reached or until it is cleared by the system administrator.

To configure lock-and-key access, perform the following tasks (Step 1 through Step 6) beginning in global configuration mode:

Task	Command
Step 1 Configure a dynamic access list, which serves as a template and place holder for temporary access list entries.	access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny \| permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log] ¹
Step 2 Configure an interface.	interface type number ²
Step 3 In interface configuration mode, apply the access list to the interface.	ip access-group access-list-number ³
Step 4 In global configuration mode, define one or more virtual terminal (VTY) ports. If you specify multiple VTY ports, they must all be configured identically because the software hunts for available VTY ports on a round-robin basis. If you do not want to configure all your VTY ports for lock-and-key access, you can specify a group of VTY ports for lock-and-key support only.	line VTY line-number [ending-line-number] ⁴
Step 5 Configure user authentication.	login tacacs or username name password secret or password password login local
Step 6 Enable the creation of temporary access list entries. If the host argument is `not` specified, all hosts on the entire network are allowed to set up a temporary access list entry. The dynamic access list contains the network mask to enable the new network connection.	autocommand access-enable [host] [timeout minutes]

¹ This command is documented in the "IP Commands" chapter of the Network Protocols Command Reference, Part 1.
² This command is documented in the "Interface Commands" chapter of the Configuration Fundamentals Command Reference.
³ This command is documented in the "IP Commands" chapter of the Network Protocols Command Reference, Part 1.
⁴ This command is documented in the "Terminal Lines and Modem Commands" chapter of the Access Services Command Reference.

There are three possible methods to configure an authentication query process (see Step 5 in the previous task list):

Use a network access server such as TACACS+ server. This method requires additional configuration steps on the TACACS+ server but allows for stricter authentication queries and more sophisticated tracking capabilities.

: Router# login tacacs

Use the username command. This method is more effective because authentication is determined on a user basis.

: Router# username name password password

Use the password and login commands. This method is less effective because the password is configured for the port, not for the user. Therefore, any user who knows the password can authenticate successfully.

: Router# password passwordRouter# login local

For an example of lock-and-key access, see the section "Lock-and-Key Access Example" later in this chapter.

Follow these guidelines when you configure dynamic access lists:

Assign attributes to the dynamic access list in the same way you assign attributes for a static access list. The temporary access list entries inherit the attributes assigned to this list.
Configure Telnet only, so that the user must use the authentication query process. Telnet access must be allowed to enable user authentication.
Define either an idle timeout (with the access-enable command in the autocommand command) or an absolute timeout value (with the timeout keyword in the access-list command). Otherwise the temporary access list entry will remain, even after the user has terminated his session.
Configure the idle timeout value to be less than the absolute timeout value.
Configure the idle timeout to be equal the WAN idle timeout.
Do NOT create more than one dynamic access list for any one access list. The software only refers to the first dynamic access list defined.
Do NOT assign the same dynamic-name on another access list. Doing so instructs the software to reuse the existing list. All named entries must be globally unique, within the configuration.
If the router executes the autocommand command, configure all virtual terminal (VTY) ports with the same autocommand command. Omitting an autocommand command on a VTY port allows a random host to gain EXEC mode access to the router and does not create a temporary access list entry in the dynamic access list.

When you create dynamic access lists, remember the following:

The only values replaced in the temporary entry are the source or destination address, depending whether the access list was in the input access-list or output access-list. All other attributes such as port are inherited from the main dynamic access list.
Each addition to the dynamic list is always put at the beginning of the dynamic list. You cannot specify the order of temporary access list entries.
Temporary access list entries are never written to NVRAM.

To manually clear or to display dynamic access lists, refer to the section "Monitor and Maintain Dynamic Access Lists" in this chapter.

User authentication is successful when the following router events occur:

The user connects via the virtual terminal port on the router.
The router executes the configured autocommand command for the access-enable command.
A temporary access list entry is created and the Telnet session is terminated, and the specified host has placed a temporary access list entry and has access inside the firewall.

You can verify that this operation is successful on the router by:

Asking the user to test the connection.
Using the show-access-lists command to view dynamic access lists.

The following sample display illustrates what the end-user might see after successfully completing the authentication process. Notice that the connection was closed immediately after the password was entered and authenticated. The temporary access list entry has already been created, and the host that initiated the Telnet session has access inside the firewall.

Router% telnet corporate
Trying 172.21.52.1 ...
Connected to corporate.abc.com.
Escape character is '^]'.
User Access Verification
Password:Connection closed by foreign host.

For an example of lock-and-key access, see the "Lock-and-Key Access Example" at the end of this chapter.

Monitor and Maintain Dynamic Access Lists

To manually delete a temporary access list entry, perform the following task in privileged EXEC mode:

Task	Command
Delete a dynamic access list.	clear access-template [access-list-number \| name] [dynamic-name] [source] [destination]

You can display temporary access list entries when they are in use. After a temporary access list entry is cleared by you or by the absolute or idle timeout parameter, it can no longer be displayed. The number of matches displayed indicates the number of times the access list entry was hit.

To view dynamic access lists and any temporary access list entries that are currently established, perform the following task in privileged EXEC mode:

Task	Command
Display dynamic access lists and temporary access list entries.	show access-lists [access-list-number] ¹

¹ This command is documented in the "IP Commands" chapter of the Network Protocols Command Reference, Part 1.

Lock-and-Key Access Example

The following example shows how to configure lock-and-key access. In this example, login is on the TACACS+ server, so no autocommand command appears in this configuration. Lock-and-key access is configured on the BRI0 interface. Four VTY ports are defined with the password "cisco."

aaa authentication login default tacacs+ enable
aaa accounting exec stop-only tacacs+
aaa accounting network stop-only tacacs+
enable password ciscotac
!
isdn switch-type basic-dms100
!
interface ethernet0
ip address 172.18.23.9 255.255.255.0
!!
interface BRI0
 ip address 172.18.21.1 255.255.255.0
 encapsulation ppp
 dialer idle-timeout 3600
 dialer wait-for-carrier-time 100
 dialer map ip 172.18.21.2 name diana
 dialer-group 1
 isdn spid1 2036333715291
 isdn spid2 2036339371566
 ppp authentication chap
 ip access-group 102 in
!
access-list 102 dynamic testlist timeout 5 permit ip any any
access-list 102 permit tcp any host 172.18.21.2 eq 23
!
!
ip route 172.18.250.0 255.255.255.0 172.18.21.2
priority-list 1 interface BRI0 high
tacacs-server host 172.18.23.21
tacacs-server host 172.18.23.14
tacacs-server key test1
tftp-server rom alias all
!
dialer-list 1 protocol ip permit
!
line con 0
 password cisco
line aux 0
line VTY 0 4
password cisco
!

Table of Contents