Traffic Filtering

Traffic filtering is a common use for standard access lists used when the plan is to block all packets from a specific source host or group of hosts from reaching a portion of the network. Figure 2-3 shows a simple two-router network that might represent two branch locations of a smaller business.

Figure 2-3: Two-router network with two ACLs

The following code represents two access lists created on the Rtr1 router. ACL 10 allows only a single host (192.168.2.20) from the Rtr2 LAN and all hosts from the Rtr1 LAN to go out to the Internet. By not adding a permit any statement, all other hosts are denied.

Rtr1(config)#access-list 10 permit host 192.168.1.20.0.0.0.255
Rtr1(config)#access-list 10 permit 192.168.1.20 0.0.0.255
Rtr1(config)#access-list 20 permit host 192.168.2.20
Rtr1(config)#access-list 20 deny 192.168.2.0 0.0.0.31
Rtr1(config)#access-list 20 permit any
Rtr1(config)#int s0
Rtr1(config-if)#ip access-group 10 out
Rtr1(config-if)#int e1
Rtr1(config-if)#ip access-group 20 out

The first line of ACL 20 permits host (192.168.2.20) from the Rtr2 LAN to access the LAN on Rtr1. The second line blocks the rest of 192.168.2.0 subnet mask 255.255.255.224, or addresses 192.168.2.0 to 192.168.2.31 from the Rtr1 LAN. The final line allows the rest of Rtr2 LAN and anything coming in over the Internet.