INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS
Come Join Us!
Are you a
Computer / IT professional?
Join Tek-Tips now!
- Talk With Other Members
- Be Notified Of Responses
To Your Posts
- Keyword Search
- One-Click Access To Your
- Automated Signatures
On Your Posts
- Best Of All, It's Free!
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.
Partner With Us!
"Best Of Breed" Forums Add Stickiness To Your Site
(Download This Button Today!)
"...This is a very good site. Please keep it running. Thanks and wishing a great health and success for the site and its owners..."
Where in the world do Tek-Tips members come from?
Cisco Config Best Practices
Egress Filtering with Simple Access-lists
Posted: 26 May 03
Egress filtering is often ignored, but is important for the health of the Internet. Basically the idea is that you only allow packets that originate from IP addresses that you are assigned to exit your router. This prevents worms like Slammer and their ilk from spreading. It also helps to prevent your network from becoming a spoofed DDoS participant. Generally, your ISP is supposed to egress filter, but they don't always.. and doing it yourself prevents your own bandwidth from getting saturated by worms and spoofed DDoS's.
The filter is very easy to setup and deploy. NOTE: Test on lab equipment first, and make changes to access-lists from a console, if possible, since applying the ACL to the interface you're connected through may disconnect your telnet session! The last thing you want is to accidentally replace a permit statement with deny, then not be able to correct it after you've applied the access-list! (I'm not going to be responsible if you shut down your production T1!)
Anyway, for this example, assume your assigned IP range is 10.1.1.0/24 and your Serial0/0 interface points to the Internet (your ISP) and has an ip address of 172.16.1.2.
access-list 10 permit 10.1.1.0 0.0.0.255
! implied deny at the end
ip address 172.16.1.2 255.255.255.252
ip access-group 10 out
That's it! You might want to include your serial interface's IP address in the ACL if you want to be able to ping it from the outside.
If you're running NAT from a seperate firewall/gateway, you should not need to add your inside addresses to the list. The router should see the source as a translated global address. If you're running NAT on the router itself, you'd need to apply the ACL as outgoing on the outside interface (rather than incoming on an inside interface) or modify the ACL.
Egress routing is appropriate for any router in your network. Be aware that it does not always scale very well, and needs to be planned well so you don't accidentally block packets from multiple hops away. Egress filtering is most appropriate for and should be applied at a minimum to routers facing the Internet (i.e. your upstream ISP).
Back to Cisco: Routers FAQ Index
Back to Cisco: Routers Forum
Join Tek-Tips® Today!
Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.
Here's Why Members Love Tek-Tips Forums:
- Talk To Other Members
- Notification Of Responses To Questions
- Favorite Forums One Click Access
- Keyword Search Of All Posts, And More...
Register now while it's still free!
Already a member? Close this window and log in.
Join Us Close