Ingress filtering how to setup?

Posted on 2001-07-03
Last Modified: 2010-10-05
What is the command to configure ingress filtering for Cisco router?

Let say your internal network IP is

WAN--se0/0----router----eth0/0--- LAN

Question by:bluepet
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 11

Expert Comment

ID: 6253776
It depends on what you are trying to filter.  The "access-list" command will allow you to set both standard and extended access lists on the router.

Author Comment

ID: 6254067
Ah I just found out how

ingress filtering is done in all new cisco routers

sh run
no ip directed-broadcast

for 3Com it's
setd -ip cont=nofwdSubnetBcast

engress filtering on the other hand is as follow

# config t
config# access-list extended permit ip any

config# access-list extended deny ip any any
then configure for access group at interface eth0

config# int eth0
config if# ip access-group 100 in


I however still have no idea about how to do engress filtering for 3com...

can someone help here..

LVL 79

Accepted Solution

lrmoore earned 34 total points
ID: 6255374
I don't think that "no ip directed broadcase" on your interface qualifies as an ingress filter. It is outgoing only. Ingress filters can only be applied through access-lists. Your example of an access list applied is incorrect.
Here are some good examples for Cisco of ingress filters (keeping the bad stuff out):

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).


Assisted Solution

svindler earned 33 total points
ID: 6316566
lrmoore's links looks good. You really should read them through.
Here are some more:

To sum it up, you make an access-list that deny all private addresses and your own addresses to originate from the internet. Then you apply this access-list as inbound on the interface closest to the internet.

A basic ingress filter, that only guards against spoofed packets, can be made using a standard access-list:

router(config)#access-list 11 deny (or whatever your public ip range is)
router(config)#access-list 11 deny
router(config)#access-list 11 deny
router(config)#access-list 11 deny
router(config)#access-list 11 deny
router(config)#access-list 11 deny
router(config)#access-list 11 deny host
router(config)#int s0/0 (or whatever your external interface is)
router(config-if)# ip access group 11 in

Expert Comment

ID: 6316576
Oops, just noticed that you actually had provided the external interface and the public ip addresses. The example should then read:
router(config)#access-list 11 deny (assuming a class C network)
router(config)#access-list 11 deny
router(config)#access-list 11 deny
router(config)#access-list 11 deny
router(config)#access-list 11 deny
router(config)#access-list 11 deny
router(config)#access-list 11 deny host
router(config)#int s0/0
router(config-if)# ip access group 11 in

Assisted Solution

jwalsh88 earned 33 total points
ID: 6372021

you forgot one line
router(config)#access-list 11 permit any

bluepet, that should be the last access-list entry.
otherwise svindler's access-list would block all inbound traffic, from the internet, with the implied deny any rule.


Expert Comment

ID: 9706103
Hey people,

No comment has been added in roughly 2 years, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts split between Irmoore, svindler and jwalsh88.
Please leave any comments here within the next seven days.


EE Page Editor

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Reverse Proxy and Office 365 integration 1 69
Equivalent of WSUS for Solaris, AIX and Cisco devices 11 75
Windows 10 GUEST Account 10 25
Fraud Email 22 83
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question