i want to block internal ip addresses at my router 5

[foil]

i do not want users who know my static ip address to use them but i may want to allocate them later to valid users
how do i block users with those addresses at my router by ip address. can i do that with mac addresses also.
syntax and procedure would help [sig][/sig]

 

[Buffman]

Hi foil,

If I understand what you posted, you are saying that you dont want people contacting particular devices with certain ip addresses. If this is true, you can configure an access list that will block them from reaching each static address. This is an example of an access list you can create and then apply to an interface:

access-list 101 deny ip any host A.B.C.D {the static ip of the device}

Place this access list on the router interface closest to the network you want to block.

ie. enter config mode and enter the interface closest to the network you want blocked (int e0).
invoke the command: ip access-group 101 in

By doing this, the interface e0 will check any frame that tries to enter it (the router) for the destination address of the static ip you are putting a block on. If a computer is indeed trying to reach that ip address, the router will stop the packet right there before it can hardly get anywhere.

You can add additional blocks to other ip addresses on that same access list also:
access-list 101 deny ip any 192.12.25.12
access-list 101 deny ip any 192.12.25.13

You can continue adding more lines this way. Only bad thing is if you have to remove a line you will have to destroy the entire access list and start all over. You can add lines but not delete lines.

*REMEMBER* to put this line in your access list:
access-list 101 permit any
Because there is an inherent "deny all" at the end of EVERY access list, you must place this in it or else the interface will deny everything trying to go into enter the interface. Also remember to use, in this situation, numbers between 100 and 199 because you are blocking access to a specific destination.

If you need more assistance email me sladewil@pilot.msu.edu
[sig][/sig]

 

[ariev]

Hi

Be aware that long access-lists are cpu-hogs and would decrease performance!

there is a better way:
at the router add the following lines:

conf t

ip route <blocked ip adderess> 255.255.255.255 null0

(null <zero>)

do this for every ip address you want to block.
This will block the packets that are coming back to the user from outside the network, effectivly disabling him from opening connections... This way is much more cpu-effective

If you have clusters of blocked ip's you could change the mask to fit the ranges...

Arie [sig][/sig]

 

[wybnormal]

Along the lines of process hogs, on an Enterprise router like the 7507, if you enable an access list, you have just broken your fastswitching back bone. The router has to look at EVERY packet and decide if the list(s) apply and you end up losing alot of performance that you paid for with the highspeed back plane. Oops...

The route to null is a good idea to avoid this hit.

Mike S [sig][/sig]

 

[ariev]

Hi

On a Cisco 7507 you SHOULD NOT use fastswitching! you should enable CEF (ip cef distributed)

whith cef, the forwarding is much faster, and things like ACLs are done inside the cef engine and do not affect performance that much

but still it is much better to not use long ACLs that have to pass a lot of traffic through them.

Arie [sig][/sig]