ACE filters apply after an analysis of the traffic types flowing on the network. The filters provide security by permitting legitimate traffic and denying (dropping) all other traffic. Filters redirect certain traffic to another IP address. The filters can also determine which traffic is permitted on which parts of the network.
The access control entries (ACE) named DENY ANY or DENY ANY ANY are the clean-up filters. These filters drop traffic that does not match another ACE.
The ACEs permit the following traffic (this is not an exhaustive list):
Domain Name Service (DNS) traffic
Internet Control Message Protocol (ICMP) traffic
Virtual Router Redundancy Protocol (VRRP) traffic (in certain areas)
BootStrap Protocol server and client traffic
Dynamic Host Configuration Protocol (DHCP) traffic
Network Basic Input/Output System (NetBIOS) traffic (in certain areas)
Transport Control Protocol (TCP) traffic with the Established flag on
traffic with specific IP addresses
Microsoft Operations Manager 2005 agent (MOM 2005) traffic
Hypertext Transfer Protocol (HTTP), HTTP proxy, and HTTP, Secure (HTTPS) traffic
remote desktop traffic
Internet Security Association and Key Management Protocol (ISAKMP) and Internet Key Exchange (IKE) traffic
SQL database system traffic
Other ACEs are configured to deny (drop):
VRRP traffic (in certain areas)
NetBIOS traffic (UDP destination ports 137, 138)
specific multicast traffic (UDP destination ports 61011, 64046)
specific UDP traffic
instant messaging traffic (UDP destination port 1900)