Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Egress Filtering with Simple Access-lists

Cisco Config Best Practices

Egress Filtering with Simple Access-lists

by  ewiley  Posted    (Edited  )
Egress filtering is often ignored, but is important for the health of the Internet. Basically the idea is that you only allow packets that originate from IP addresses that you are assigned to exit your router. This prevents worms like Slammer and their ilk from spreading. It also helps to prevent your network from becoming a spoofed DDoS participant. Generally, your ISP is supposed to egress filter, but they don't always.. and doing it yourself prevents your own bandwidth from getting saturated by worms and spoofed DDoS's.

The filter is very easy to setup and deploy. NOTE: Test on lab equipment first, and make changes to access-lists from a console, if possible, since applying the ACL to the interface you're connected through may disconnect your telnet session! The last thing you want is to accidentally replace a permit statement with deny, then not be able to correct it after you've applied the access-list! (I'm not going to be responsible if you shut down your production T1!)

Anyway, for this example, assume your assigned IP range is 10.1.1.0/24 and your Serial0/0 interface points to the Internet (your ISP) and has an ip address of 172.16.1.2.

access-list 10 permit 10.1.1.0 0.0.0.255
! implied deny at the end

interface Serial0/0
ip address 172.16.1.2 255.255.255.252
ip access-group 10 out

That's it! You might want to include your serial interface's IP address in the ACL if you want to be able to ping it from the outside.

Caveat:
If you're running NAT from a seperate firewall/gateway, you should not need to add your inside addresses to the list. The router should see the source as a translated global address. If you're running NAT on the router itself, you'd need to apply the ACL as outgoing on the outside interface (rather than incoming on an inside interface) or modify the ACL.

Egress routing is appropriate for any router in your network. Be aware that it does not always scale very well, and needs to be planned well so you don't accidentally block packets from multiple hops away. Egress filtering is most appropriate for and should be applied at a minimum to routers facing the Internet (i.e. your upstream ISP).
Register to rate this FAQ  : BAD 1 2 3 4 5 6 7 8 9 10 GOOD
Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

Back
Top