Example – Creating a filter to protect a router from outside attack

This article describes the options for setting up a filter to prevent outside attacks, and the options for protecting your Routing Engines.

To prevent outside attackers from attempting to gain access to your router, you can apply a filter on your loopback interface that allows specific traffic from trusted IP addresses only.

An example configuration of this is shown below. This is only an example; it can be modified to apply in your network and configuration.

1. Create a prefix list of the IP addresses allowed to access the router:

2. Create the firewall filter for the options you want to allow:

3. Apply the firewall filter to the lo0 interface:

By specifying the prefix list, you can add and remove IP prefixes in one place instead of having to change them in each term in the filter; you can also specify in terms which protocols and ports are allowed.

An implicit deny is set at the end of every firewall filter. In the above example, the incoming traffic is evaluated against each term in order. If there is no match on any of them, the traffic is dropped as an implicit deny.

About the author


Leave a Comment