Traffic Filtering on Cisco Routers & Firewalls | Networking Faisalabad

Traffic Filtering Using Cisco Router & Firewall - Layer 2, 3, 4 Security Training by Saeed Ahmad

Traffic Filtering Using Cisco Router & Firewall

Master Layer 2, 3, 4 Filtering • ACLs • Zone-Based Firewall • CBAC

🎓 Learn from Saeed Ahmad | Real CLI Labs | Security Troubleshooting

📍

Online & In-Person Classes

Available Worldwide | Faisalabad Campus

📞 +92 301 7640931 💬 WhatsApp

🔐 What is Traffic Filtering in Cisco Networks?

Traffic filtering is a fundamental security practice that controls data flow across network devices by permitting or denying packets based on predefined rules. In Cisco environments, filtering operates at multiple OSI layers: Layer 2 (MAC addresses), Layer 3 (IP addresses), and Layer 4 (TCP/UDP ports) to enforce security policies, prevent unauthorized access, and mitigate threats.

Our CCNA/CCNP Security Training by Saeed Ahmad provides hands-on mastery of Cisco traffic filtering techniques including Standard/Extended ACLs, MAC ACLs, Zone-Based Policy Firewall (ZBF), Context-Based Access Control (CBAC), and essential troubleshooting commands to verify and debug filtering policies in real-world scenarios.

🎯 What You'll Learn in Traffic Filtering Course

🔗

Layer 2 Filtering

MAC address ACLs, port-security, VLAN ACLs (VACLs) to control traffic at the data link layer.

🌐

Layer 3 ACLs

Standard & Extended IP ACLs: filter by source/destination IP, wildcard masks, logging, time-ranges.

⚡

Layer 4 Port Filtering

TCP/UDP port-based filtering, established keyword, reflexive ACLs for stateful inspection basics.

🛡️

Zone-Based Firewall (ZBF)

Modern Cisco firewall policy: zones, zone-pairs, policy-maps, inspect/ drop/ pass actions.

🔍

Verification & Troubleshooting

Essential show/debug commands: show access-lists, show zone-pair security, packet-tracer, logging analysis.

🧪

Real-World Lab Scenarios

Practice filtering DMZ traffic, block malicious IPs, permit only authorized services, simulate attacks & defenses.

📚 Traffic Filtering Techniques by OSI Layer

🔗 Layer 2 Filtering (Data Link)

Use Cases: Prevent MAC spoofing, restrict devices per switch port, isolate VLAN traffic.

Key Commands:
! MAC ACL Creation
Switch(config)# mac access-list extended BLOCK-MAC
Switch(config-ext-macl)# deny host aaaa.bbbb.cccc any
Switch(config-ext-macl)# permit any any

! Apply to Interface
Switch(config-if)# mac access-group BLOCK-MAC in

! Port Security
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation restrict

🌐 Layer 3 Filtering (Network)

Use Cases: Block malicious subnets, permit only trusted networks, implement network segmentation.

Standard ACL (Source IP only):
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny any
Router(config-if)# ip access-group 10 in

Extended ACL (Source/Dest/Protocol):
Router(config)# access-list 100 permit tcp 192.168.10.0 0.0.0.255 host 203.0.113.5 eq 443
Router(config)# access-list 100 deny ip any any log
Router(config-if)# ip access-group 100 out

Time-Based ACL:
Router(config)# time-range WORK-HOURS
Router(config-time-range)# periodic weekdays 9:00 to 17:00
Router(config)# access-list 110 permit tcp any any eq 80 time-range WORK-HOURS

⚡ Layer 4 Filtering (Transport)

Use Cases: Allow HTTP/HTTPS only, block P2P ports, permit established return traffic.

Port-Based Filtering:
Router(config)# access-list 120 permit tcp any any eq 22
Router(config)# access-list 120 permit tcp any any eq 443
Router(config)# access-list 120 deny tcp any any range 1 1023
Router(config)# access-list 120 permit udp any any eq 53

Established Keyword (Stateful-like):
Router(config)# access-list 130 permit tcp any any established
! Allows return traffic for sessions initiated from inside

Reflexive ACL (Basic Stateful):
Router(config)# ip access-list extended OUTBOUND
Router(config-ext-nacl)# permit tcp 192.168.1.0 0.0.0.255 any reflect USER-TRAFFIC
Router(config)# ip access-list extended INBOUND
Router(config-ext-nacl)# evaluate USER-TRAFFIC

🛡️ Zone-Based Policy Firewall (Advanced)

Modern Approach: Define security zones, create zone-pairs, apply policy-maps with inspect/drop/pass actions.

ZBF Configuration Steps:
! 1. Define Zones
Router(config)# zone security INSIDE
Router(config)# zone security OUTSIDE
Router(config)# zone security DMZ

! 2. Assign Interfaces to Zones
Router(config-if)# zone-member security INSIDE

! 3. Create Class-Maps (Traffic Classification)
Router(config)# class-map type inspect match-any WEB-TRAFFIC
Router(config-cmap)# match protocol http
Router(config-cmap)# match protocol https

! 4. Create Policy-Map (Actions)
Router(config)# policy-map type inspect INSIDE-OUT
Router(config-pmap)# class type inspect WEB-TRAFFIC
Router(config-pmap-c)# inspect
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# drop

! 5. Apply to Zone-Pair
Router(config)# zone-pair security INSIDE-OUT source INSIDE destination OUTSIDE
Router(config-zone-pair)# service-policy type inspect INSIDE-OUT

🔧 Essential Commands: Verify & Troubleshoot Filtering

✅ Verification Commands

ACL Verification:
Router# show access-lists [ACL-NUMBER] ! View ACL entries & hit counts
Router# show ip interface [interface] ! Check applied ACLs per interface
Router# show running-config | section access-list ! Filter ACL config

Zone-Based Firewall:
Router# show zone-pair security ! View active zone-pairs
Router# show policy-map type inspect zone-pair [name] ! Show policy actions
Router# show class-map type inspect ! List traffic classes

Layer 2 Filtering:
Switch# show mac access-group ! Display MAC ACL assignments
Switch# show port-security interface [interface] ! Port-security status
Switch# show vlan access-map ! VACL configuration

Packet Testing:
Router# ping [ip] source [interface] ! Test connectivity with source IP
Router# telnet [ip] [port] source [interface] ! Test TCP port access
Router# debug ip packet [ACL-NUMBER] detail ! Real-time packet debugging*
*Use debug commands cautiously in production!

🚨 Troubleshooting Checklist

• ACL not working? → Check direction (in/out), interface assignment, implicit deny at end
• Hit counts not increasing? → Verify traffic matches ACL criteria; use log keyword for visibility
• ZBF dropping legitimate traffic? → Confirm zone assignments, policy-map actions, inspect vs pass
• Port-security blocking devices? → Check violation mode (shutdown/restrict/protect), MAC table
• Logging not showing? → Enable logging buffered or syslog server; verify ACL has log keyword
• Performance impact? → Place most-specific ACEs first; avoid excessive logging; use hardware ACLs if available

🏆 Why Learn Traffic Filtering with CCNAGuru Saeed Ahmad

👨‍💻 Security-Focused Instructor

Saeed Ahmad specializes in Cisco security implementations with real enterprise firewall & ACL deployments.

🔬 Live CLI Labs

Configure ACLs, ZBF, and troubleshooting on real Cisco IOS devices—not just theory or simulators.

📜 CCNA/CCNP Security Prep

Aligned with Cisco exam objectives: security fundamentals, ACLs, firewall technologies, troubleshooting.

🛡️ Threat Simulation Labs

Practice defending against spoofing, DoS, unauthorized access using realistic attack scenarios.

🕐 Flexible Learning

Morning/evening/weekend batches. Online sessions recorded for lifetime access + offline labs in Faisalabad.

🎯 Job-Ready Skills

Graduates secure roles as Network Security Engineers, SOC Analysts, and Cisco Support Specialists.

📋 Traffic Filtering Course Curriculum

Module 1: Security Fundamentals & Threat Modeling

Module 2: Layer 2 Filtering: MAC ACLs & Port-Security

Module 3: Standard & Extended IP ACLs (Layer 3)

Module 4: Layer 4 Filtering: TCP/UDP Ports & Stateful Basics

Module 5: Zone-Based Policy Firewall (ZBF) Deep Dive

Module 6: Verification Commands & Logging Strategies

Module 7: Troubleshooting Methodologies & Debug Techniques

Module 8: Capstone Lab: Secure Enterprise Network Design

🎓 CCNA Training Investment

Complete CCNA Course

PKR 45,000

• ✅ Full CCNA 200-301 Curriculum
• ✅ Load Balancing & Redundancy Labs
• ✅ Real Equipment Practice
• ✅ Study Materials & Videos
• ✅ Exam Preparation

Enroll Now

POPULAR

CCNA + Load Balancing Masterclass

PKR 55,000

• ✅ Everything in CCNA Course
• ✅ Advanced HSRP/VRRP/GLBP
• ✅ ECMP & Traffic Engineering
• ✅ 1-on-1 Mentoring Sessions
• ✅ Job Placement Assistance
• ✅ Certification Guarantee

Get Started

* Installment plans available | Free demo class | 100% money-back guarantee

❓ Frequently Asked Questions

Q: What's the difference between standard and extended ACLs?

Standard ACLs (1-99, 1300-1999) filter only by source IP address. Extended ACLs (100-199, 2000-2699) filter by source/destination IP, protocol, port numbers, and support advanced options like logging and time-ranges—making them far more granular for security policies.

Q: When should I use Zone-Based Firewall instead of ACLs?

Use ZBF for complex, stateful security policies requiring application awareness, multiple security zones (Inside/Outside/DMZ), and centralized policy management. ACLs remain ideal for simple, stateless filtering on routers or as a first line of defense.

Q: How do I verify if my ACL is actually blocking traffic?

Use show access-lists [number] to check hit counts on each ACE. If hits don't increment, traffic isn't matching that rule. Add the log keyword to generate syslog messages for matched packets. Use debug ip packet cautiously for real-time analysis in lab environments.

Q: Does this course cover Cisco ASA or only IOS routers?

This course focuses on IOS-based routers and switches (CCNA/CCNP level). We cover ASA concepts briefly for context, but deep ASA/FTD training is offered in our advanced CCNP Security & Firewall specialization course.

Secure Your Network with Cisco Traffic Filtering!

Join CCNAGuru Saeed Ahmad's hands-on training and master Layer 2/3/4 filtering, ACLs, Zone-Based Firewall, and professional troubleshooting techniques used by enterprise network engineers.

📞 Call for Free Demo 💬 WhatsApp Inquiry

📍 Location: Online & Faisalabad Campus | ⏰ Timings: Flexible Batches
🔍 Search: Cisco traffic filtering course | ACL configuration training | Layer 2 3 4 security | CCNA firewall labs

🎯 Top-Rated Cisco Security Training in Pakistan

ACL Mastery

Zone-Based Firewall

Troubleshooting Pro

Job-Ready Skills

📞 Call for Free Demo Class: +92 301 7640931

Share this course:

f 𝕏 in 📱

CCNA Classes Faisalabad | First step toward a networking career

CCNA 200-301

Certified by Cisco Networking Academy

Begin your journey towards a professional networking career with this comprehensive course on network fundamentals. Understand the architecture, topology, and operations of networks that support businesses of all sizes, from startups to global enterprises.

Through hands-on labs, you will configure and manage networks, including a basic LAN (Local Area Network) setup. By the end of this course, you will be confident in your knowledge of:

• Routing and Switching fundamentals
• Network applications, protocols, and services
• IP addressing, subnetting, and network troubleshooting
• Basic security practices and firewall concepts

This is the first course in a 4-part series designed to prepare learners for entry-level networking jobs and the Cisco CCNA certification. No prior networking experience is required.

By completing this course, you will gain skills applicable to roles such as Network Technician, Network Administrator, and IT Support Specialist. This course also provides foundational knowledge necessary for further Cisco certifications like CCNP Routing & Switching and Cybersecurity Specializations.

With real-world examples, guided labs, and instructor-led sessions, you'll learn to design, configure, and maintain networks efficiently and securely. Enhance your resume and open doors to a high-demand, well-paying career in IT networking and network security.

⏱ Duration: 70 hours

💲 Cost: Registration Fee Only

📈 Level: Intermediate

🎓 Learning Type: Instructor-led & Online

📌 Skills Covered: LAN/WAN configuration, routing protocols, switching, IP addressing, troubleshooting, network security basics

💡 CCNAGuru

📞 +92-301-7640931

Get Online Networking Training and Cisco Certifications

🚀 Enroll in CCNA Training Now

CCNA Classes in Faisalabad | Cisco Networking Academy

Get CCNA 200-125 Training and Coaching by Cisco Certified Instructors only in Faisalabad at Cisco Networking Academy

5 days per week class

90 minutes session

100% Lab

Cisco Official Account for Every CCNA Student

Get Free discount voucher after academy exams

Cisco Networking Academy Faisalabad

Students at Cisco Training Center Faisalabad

Cisco Academy Faisalabad

The Cisco Networking Academy® CCNA Routing and Switching curriculum is designed for students who are seeking entry-level ICT jobs or plan to pursue more specialized ICT skills.

CCNA Routing and Switching provides comprehensive coverage of networking topics, from fundamentals to advanced applications and services, with opportunities for hands-on practical experience and career skills development.

Cisco Certifications Students will be prepared to take the Cisco CCENT® certification exam after completing a set of two courses and the CCNA® Routing and Switching certification exam after completing a set of four courses.

Features and Benefits The CCNA Routing and Switching curriculum offers the following features and benefits:

´        Students learn the basics of routing, switching, and advanced technologies to prepare for the CCENT and CCNA certification exams, networking related degree programs, and entry-level careers.

´        The language used to describe networking concepts is designed to be easily understood by learners at all levels and embedded interactive activities help reinforce comprehension.

´        Courses emphasize critical thinking, problem solving, collaboration, and the practical application of skills.

´        Multimedia learning tools, including videos, games, and quizzes, address a variety of learning styles and promote increased knowledge retention.

´        Hands-on labs and Cisco® Packet Tracer simulation-based learning activities help students develop critical thinking and complex problem solving skills.

´        Embedded assessments provide immediate feedback to support the evaluation of knowledge and acquired skills.

Course Description

CCNA Routing and Switching teaches comprehensive networking concepts, from network applications to the protocols and services provided to those applications by the lower layers of the network. Students will progress from basic networking to more complex enterprise and theoretical networking models later in the curriculum.

 There are four courses in the recommended sequence:

´        Introduction to Networks

´        Routing and Switching Essentials

´        Scaling Networks

´        Connecting Networks

In each course, Networking Academy™ students will learn technology concepts with the support of interactive media and apply and practice this knowledge through a series of hands-on and simulated activities that reinforce their learning.

Introduction to Networks

Description:

Introduces the architecture, structure, functions, components, and models of the Internet and other computer networks. The principles and structure of IP addressing and the fundamentals of Ethernet concepts, media, and operations are introduced to provide a foundation for the curriculum. By the end of the course, students will be able to build simple LANs, perform basic configurations for routers and switches, and implement IP addressing schemes.

Detail:

Describe the devices and services used to support communications in data networks and the Internet

Describe the role of protocol layers in data networks

Describe the importance of addressing and naming schemes at various layers of data networks in IPv4 and IPv6 environments

Design, calculate, and apply subnet masks and addresses to fulfill given requirements in IPv4 and IPv6 network

Build a simple Ethernet network using routers and switches

Use Cisco command-line interface (CLI) commands to perform basic router and switch configurations

Routing and Switching Essentials

Description:

Describes the architecture, components, and operations of routers and switches in a small network. Students learn how to configure a router and a switch for basic functionality. By the end of this course, students will be able to configure and troubleshoot routers and switches and resolve common issues with static route, RIPv2, VLAN, NAT,ACL, DHCP in both IPv4 and IPv6 networks, and perform device discovery, management and maintenance.

Detail:

Determine how a router will forward traffic based on the contents of a routing table.

Explain how switching operates in a small to medium-sized business network.

Use monitoring tools and network management protocols to troubleshoot data networks.

Implement access control lists (ACLs) to filter traffic.

Configure and troubleshoot VLANs and routing with static route and RIPv2.

Describe the operations of Dynamic Host Configuration Protocol for IPv4 and IPv6

Scaling Networks

Description:

Describes the architecture, components, and operations of routers and switches in a large and complex network. Students learn how to configure routers and switches for advanced functionality. By the end of this course, students will be able to configure and troubleshoot routers and switches and resolve common issues with OSPF, EIGRP, STP, and VTP in both IPv4 and IPv6 networks. Students will also develop the knowledge and skills needed to implement DHCP and DNS operations in a network.

Detail:

Configure and troubleshoot DHCP and DNS operations for IPv4 and IPv6

Describe the operations and benefits of the Spanning Tree Protocol (STP)

Configure and troubleshoot STP operations

Describe the operations and benefits of link aggregation and Cisco VLAN Trunk Protocol (VTP)

Configure and troubleshoot basic operations of routers in a complex routed network for IPv4 and IPv6

Configure and troubleshoot advanced operations of routers and implement RIP, OSPF, and EIGRP routing protocols for IPv4 and IPv6

Manage Cisco IOS® Software licensing and configuration files

Connecting Networks

Description:

Discusses the WAN technologies and network services required by converged applications in a complex network. The course enables students to understand the selection criteria of network devices and WAN technologies to meet network requirements. Students learn how to configure and troubleshoot network devices and resolve common issues with data link protocols. Students also develop the knowledge and skills needed to implement IPSec and virtual private network (VPN) operations in a complex network

Detail:

Describe the operations and benefits of virtual private networks (VPNs) and tunneling

describe different WAN technologies and their benefits

Configure and troubleshoot serial connections

Configure and troubleshoot broadband connections

Configure and troubleshoot IPSec tunneling operations

Monitor and troubleshoot network operations using syslog, SNMP, and NetFlow

Design network architectures for borderless networks, data centers, and collaboration