Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is ACLs on Internet router common ?

I have a predecessor of mine who has installed for all our customers who have Internet access, ACL for inbound and outboud internet access preventing certain bad foreign ips and dns etc etc . A Firewall is already in place so I am not sure why he had done this and looks weird. I have never come across this when you have a firewall. A router should routing and let the F/W do the filtering.

Just wanted to know is anyone doing this ?

New Member

Re: Is ACLs on Internet router common ?

I have done this in a few setup. My reasoning is never enough security. I have filtered all unwanted traffic at the router and also analyze the wanted traffic at the firewall. also you need some type of security on your router as well.

hope this helps.


Re: Is ACLs on Internet router common ?

I'm generally in agreement with you -- firewalls are meant for packet filtering and routers are not, so I think it's usually wise to leave the filtering to the firewalls. Another issue is logging -- firewalls tend to have much better logging functionality than routers do. I'd much rather have unwanted packets hit a firewall instead of a router because I'm more likely to notice them in the logs this way. Packets dropped by edge routers will also never be seen by your IDS.

There are, of course, exceptions. Traffic to the edge routers themselves (TELNET, SNMP, BGP, etc.) obviously can't be filtered by the firewalls. This also applies to any devices that sit between the routers and firewalls. It may also be desirable to block traffic from bogus IP ranges (i.e., private addresses, unallocated addresses) at the edge so that it never has a chance to get onto your LAN and cause harm.

But for the most part, I agree that the firewalls should do the filtering. That's what they're there for.


Re: Is ACLs on Internet router common ?

The best practice (in my humble opinion) is to let the firewall do all the filtering, but with this I'm not saying that no ACL is needed on the router.

I would always create an ACL on the router which blocks malicious IP's or IP subnets (why let them reach the PIX) and also filter all directed broadcasts on the router to prevent your own site from being a so-called "amplifier" for a smurf attack

Also you could IP-spoofing from your network to the Internet on the router (but this can also be done at the PIX)

Although I agree with the fact that main filtering has to take place on the PIX, I would also like to say that having the router in front of it filtering some unwanted traffic is the best way.

Main reason for this is that all traffic which arrives on the PIX does consume procesmemory on the PIX, so, what's the use of routing traffic to the PIX which you do not need there?

Kind Regards,


New Member

Re: Is ACLs on Internet router common ?

Well as long as the internet router's CPU utilization is within limits, its better you configure some access-lists on it instead of letting some unwanted traffic towards PIX like

no ip icmp unreachables

no ip proxy-arp

no ip directed-broadcast

There is a gr8 stuff at this website.It might not apply very well to this conversation, but u can have a look.

CreatePlease to create content