Showing results for 
Search instead for 
Did you mean: 

Ask the Expert- SD-WAN

How to filter IP packets


Core Issue

IP packets can be filtered using Access Control Lists (ACLs) to control what traffic enters and leaves a network. ACLs can be configured and applied in inbound and outbound directions on an interface for packet filtering. Inbound ACLs check the traffic entering the interface and outbound ACLs act on traffic leaving the interface.


An ACL is a sequential collection of permit and deny statements that check the packets against each statement until a match is found. When a match is found, the action permit or deny specified in the statement is applied to the packet. The ACLs have an implicit deny statement at the end, which drops all packets that do not match any statement.

These are two types of ACLs that can be configured for IP traffic:

  • Standard ACL matches packets based only on source IP addresses. It can be configured using a name or number ranging from 1 to 99 and 1300 to 1999.
  • Extended ACL matches packets based on source and destination IP addresses, optional protocol type and source and destination ports for more granularity. It can be configured using a name or number ranging from 100 to 199 and 2000 to 2699.

To configure a numbered ACL, issue the access-list access-list-number {permitdeny} {type-code wild-maskaddress mask} command in global configuration mode and apply the ACL to the interface by issuing the ip access-group {access-list-numberaccess-list-name} {inout} command under the specific interface configuration mode.

For example, if a router is connected to the WAN through interface serial0 and the hosts are connected to its ethernet0 interface, this configuration uses a standard ACL 1 to filter any packet from the host from going over the WAN. But traffic from other hosts are allowed to cross the WAN link, as shown in this example:

access-list 1 deny

!---This line denies all IP traffic from host 

access-list 1 permit any

!---This line permits traffic from all other hosts.   

interface serial 0

ip access-group 1 out

!---The standard ACL 1 is applied outbound to the WAN interface to check all packets leaving this interface.   

If the host functions as a mail server, then Simple Mail Transfer Protocol (SMTP) traffic from this host has to be allowed to cross the WAN link. To tune the previous configuration to allow only SMTP traffic from this host and allow all IP traffic from other hosts to go over the WAN, an extended ACL is needed.

This is the proper configuration:

access-list 100 permit tcp host eq smtp any

access-list 100 permit tcp host any eq smtp

!---These two lines permit only mail traffic from host destined to any other host. The protocol keyword Transmission Control Protocol ("TCP") along with the source and destination port as "SMTP" identifies it as mail traffic. 

access-list 100 permit ip any any

!---This line permits all IP traffic between all other hosts. All other IP traffic from host is denied by the implicit deny statement. 

interface serial 0

ip access-group 100 out

!---The extended ACL 100 is applied outbound to serial 0 interface to check all packets leaving this interface. 

For more information on ACLs and its various types, refer to Configuring IP Access Lists.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards