Traffic Filtering Using Cisco Router & Firewall - Layer 2, 3, 4 Security Training by Saeed Ahmad
Traffic Filtering Using Cisco Router & Firewall
Master Layer 2, 3, 4 Filtering • ACLs • Zone-Based Firewall • CBAC
๐ Learn from Saeed Ahmad | Real CLI Labs | Security Troubleshooting
๐ What is Traffic Filtering in Cisco Networks?
Traffic filtering is a fundamental security practice that controls data flow across network devices by permitting or denying packets based on predefined rules. In Cisco environments, filtering operates at multiple OSI layers: Layer 2 (MAC addresses), Layer 3 (IP addresses), and Layer 4 (TCP/UDP ports) to enforce security policies, prevent unauthorized access, and mitigate threats.
Our CCNA/CCNP Security Training by Saeed Ahmad provides hands-on mastery of Cisco traffic filtering techniques including Standard/Extended ACLs, MAC ACLs, Zone-Based Policy Firewall (ZBF), Context-Based Access Control (CBAC), and essential troubleshooting commands to verify and debug filtering policies in real-world scenarios.
๐ฏ What You'll Learn in Traffic Filtering Course
Layer 2 Filtering
MAC address ACLs, port-security, VLAN ACLs (VACLs) to control traffic at the data link layer.
Layer 3 ACLs
Standard & Extended IP ACLs: filter by source/destination IP, wildcard masks, logging, time-ranges.
Layer 4 Port Filtering
TCP/UDP port-based filtering, established keyword, reflexive ACLs for stateful inspection basics.
Zone-Based Firewall (ZBF)
Modern Cisco firewall policy: zones, zone-pairs, policy-maps, inspect/ drop/ pass actions.
Verification & Troubleshooting
Essential show/debug commands: show access-lists, show zone-pair security, packet-tracer, logging analysis.
Real-World Lab Scenarios
Practice filtering DMZ traffic, block malicious IPs, permit only authorized services, simulate attacks & defenses.
๐ Traffic Filtering Techniques by OSI Layer
๐ Layer 2 Filtering (Data Link)
Use Cases: Prevent MAC spoofing, restrict devices per switch port, isolate VLAN traffic.
! MAC ACL Creation
Switch(config)# mac access-list extended BLOCK-MAC
Switch(config-ext-macl)# deny host aaaa.bbbb.cccc any
Switch(config-ext-macl)# permit any any
! Apply to Interface
Switch(config-if)# mac access-group BLOCK-MAC in
! Port Security
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation restrict
๐ Layer 3 Filtering (Network)
Use Cases: Block malicious subnets, permit only trusted networks, implement network segmentation.
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny any
Router(config-if)# ip access-group 10 in
Extended ACL (Source/Dest/Protocol):
Router(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.5 eq 443
Router(config)# access-list 100 deny ip any any log
Router(config-if)# ip access-group 100 out
Time-Based ACL:
Router(config)# time-range WORK-HOURS
Router(config-time-range)# periodic weekdays 9:00 to 17:00
Router(config)# access-list 110 permit tcp any any eq 80 time-range WORK-HOURS
⚡ Layer 4 Filtering (Transport)
Use Cases: Allow HTTP/HTTPS only, block P2P ports, permit established return traffic.
Router(config)# access-list 120 permit tcp any any eq 22
Router(config)# access-list 120 permit tcp any any eq 443
Router(config)# access-list 120 deny tcp any any range 1 1023
Router(config)# access-list 120 permit udp any any eq 53
Established Keyword (Stateful-like):
Router(config)# access-list 130 permit tcp any any established
! Allows return traffic for sessions initiated from inside
Reflexive ACL (Basic Stateful):
Router(config)# ip access-list extended OUTBOUND
Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any reflect USER-TRAFFIC
Router(config)# ip access-list extended INBOUND
Router(config-ext-nacl)# evaluate USER-TRAFFIC
๐ก️ Zone-Based Policy Firewall (Advanced)
Modern Approach: Define security zones, create zone-pairs, apply policy-maps with inspect/drop/pass actions.
! 1. Define Zones
Router(config)# zone security INSIDE
Router(config)# zone security OUTSIDE
Router(config)# zone security DMZ
! 2. Assign Interfaces to Zones
Router(config-if)# zone-member security INSIDE
! 3. Create Class-Maps (Traffic Classification)
Router(config)# class-map type inspect match-any WEB-TRAFFIC
Router(config-cmap)# match protocol http
Router(config-cmap)# match protocol https
! 4. Create Policy-Map (Actions)
Router(config)# policy-map type inspect INSIDE-OUT
Router(config-pmap)# class type inspect WEB-TRAFFIC
Router(config-pmap-c)# inspect
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# drop
! 5. Apply to Zone-Pair
Router(config)# zone-pair security INSIDE-OUT source INSIDE destination OUTSIDE
Router(config-zone-pair)# service-policy type inspect INSIDE-OUT
๐ง Essential Commands: Verify & Troubleshoot Filtering
✅ Verification Commands
Router# show access-lists [ACL-NUMBER] ! View ACL entries & hit counts
Router# show ip interface [interface] ! Check applied ACLs per interface
Router# show running-config | section access-list ! Filter ACL config
Zone-Based Firewall:
Router# show zone-pair security ! View active zone-pairs
Router# show policy-map type inspect zone-pair [name] ! Show policy actions
Router# show class-map type inspect ! List traffic classes
Layer 2 Filtering:
Switch# show mac access-group ! Display MAC ACL assignments
Switch# show port-security interface [interface] ! Port-security status
Switch# show vlan access-map ! VACL configuration
Packet Testing:
Router# ping [ip] source [interface] ! Test connectivity with source IP
Router# telnet [ip] [port] source [interface] ! Test TCP port access
Router# debug ip packet [ACL-NUMBER] detail ! Real-time packet debugging*
*Use debug commands cautiously in production!
๐จ Troubleshooting Checklist
- ACL not working? → Check direction (in/out), interface assignment, implicit deny at end
- Hit counts not increasing? → Verify traffic matches ACL criteria; use
logkeyword for visibility - ZBF dropping legitimate traffic? → Confirm zone assignments, policy-map actions, inspect vs pass
- Port-security blocking devices? → Check violation mode (shutdown/restrict/protect), MAC table
- Logging not showing? → Enable
logging bufferedor syslog server; verify ACL haslogkeyword - Performance impact? → Place most-specific ACEs first; avoid excessive logging; use hardware ACLs if available
๐ Why Learn Traffic Filtering with CCNAGuru Saeed Ahmad
๐จ๐ป Security-Focused Instructor
Saeed Ahmad specializes in Cisco security implementations with real enterprise firewall & ACL deployments.
๐ฌ Live CLI Labs
Configure ACLs, ZBF, and troubleshooting on real Cisco IOS devices—not just theory or simulators.
๐ CCNA/CCNP Security Prep
Aligned with Cisco exam objectives: security fundamentals, ACLs, firewall technologies, troubleshooting.
๐ก️ Threat Simulation Labs
Practice defending against spoofing, DoS, unauthorized access using realistic attack scenarios.
๐ Flexible Learning
Morning/evening/weekend batches. Online sessions recorded for lifetime access + offline labs in Faisalabad.
๐ฏ Job-Ready Skills
Graduates secure roles as Network Security Engineers, SOC Analysts, and Cisco Support Specialists.
๐ Traffic Filtering Course Curriculum
๐ CCNA Training Investment
Complete CCNA Course
- ✅ Full CCNA 200-301 Curriculum
- ✅ Load Balancing & Redundancy Labs
- ✅ Real Equipment Practice
- ✅ Study Materials & Videos
- ✅ Exam Preparation
CCNA + Load Balancing Masterclass
- ✅ Everything in CCNA Course
- ✅ Advanced HSRP/VRRP/GLBP
- ✅ ECMP & Traffic Engineering
- ✅ 1-on-1 Mentoring Sessions
- ✅ Job Placement Assistance
- ✅ Certification Guarantee
* Installment plans available | Free demo class | 100% money-back guarantee
❓ Frequently Asked Questions
Q: What's the difference between standard and extended ACLs?
Standard ACLs (1-99, 1300-1999) filter only by source IP address. Extended ACLs (100-199, 2000-2699) filter by source/destination IP, protocol, port numbers, and support advanced options like logging and time-ranges—making them far more granular for security policies.
Q: When should I use Zone-Based Firewall instead of ACLs?
Use ZBF for complex, stateful security policies requiring application awareness, multiple security zones (Inside/Outside/DMZ), and centralized policy management. ACLs remain ideal for simple, stateless filtering on routers or as a first line of defense.
Q: How do I verify if my ACL is actually blocking traffic?
Use show access-lists [number] to check hit counts on each ACE. If hits don't increment, traffic isn't matching that rule. Add the log keyword to generate syslog messages for matched packets. Use debug ip packet cautiously for real-time analysis in lab environments.
Q: Does this course cover Cisco ASA or only IOS routers?
This course focuses on IOS-based routers and switches (CCNA/CCNP level). We cover ASA concepts briefly for context, but deep ASA/FTD training is offered in our advanced CCNP Security & Firewall specialization course.
Secure Your Network with Cisco Traffic Filtering!
Join CCNAGuru Saeed Ahmad's hands-on training and master Layer 2/3/4 filtering, ACLs, Zone-Based Firewall, and professional troubleshooting techniques used by enterprise network engineers.
๐ Location: Online & Faisalabad Campus | ⏰ Timings: Flexible Batches
๐ Search: Cisco traffic filtering course | ACL configuration training | Layer 2 3 4 security | CCNA firewall labs
๐ฏ Top-Rated Cisco Security Training in Pakistan
