cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


61837
Views
9
Helpful
7
Replies
Beginner

Block all Russia Public IP Addresses

Recently we have been taksed buy C level executives to block all ip communication to Russia. They are about 65,000 (CIDR aggregated) public ip addresses in China.

I dont want to manage an ACL with 65,000 entries not to mention how much larger it gets to add other countries.

Any suggestions out there?

Thank you

7 REPLIES 7
Hall of Fame Community Legend

Re: Block all Russia Public IP Addresses

Duplicate post #2.

Beginner

Re: Block all Russia Public IP Addresses

Check out the CountryIPBlock website. Here is a link to this cool feature where you put in a country and it can otput a Cisco router ACL for you https://www.countryipblocks.net/country_selection.php. About a month ago I was instructed to block China and Iran on our Internet facing 2851's. I was concerned about what this would do to latency but we have no issues. When I was doing my research I found that Cisco uses a more efficient algorithm as of (I believe) 12.3T. I forget the details but it appears to be similiar to the turbo ACL feature that the PIX firewalls used. Except it works by default (like current ASA's do) and you do not have to manually compile the ACL.

I just select the country, copy the text to notepad and you are ready to create the ACL on your router. I pasted the output for Russia in an Excel spreadsheet and got about 6500 lines.

Beginner

Re: Block all Russia Public IP Addresses

Thank you K. I have see that tool and have been evaluating this option. We have concerns that the 100,000 ACL entries on the internet facing 3925's will be to much of a performance hit.

Beginner

Re: Block all Russia Public IP Addresses

If it is just Russia it should be about 6500 lines. Blocking Iran and China was about 3900 lines. We implemented this on our 2851's and it cost about 1ms in latency.

Beginner

Can you post a scrubbed copy

Can you post a scrubbed copy of the config?

Frequent Contributor

Block all Russia Public IP Addresses

if you have full bgp view so you can block  all russian as

Re: Block all Russia Public IP Addresses

At Country IP Blocks our response to the problems associated with large Access Control Lists was to design a Network Aggregation Module as an add-on to our membership plans.Using this module usually results in some very significant reductions in the size of Country Specific ACLs.

Examples (as of April 17, 2103 11:49 AM GMT -0700)

Aggregating networks in China reduces the overall list size by 25% (from 3,596 to 2,694 networks).

Russian aggregation reduces the list size to 5,906 networks.

Aggregation becomes more significant when you select multiple countries with more contiguous networks.

Combining networks in the United States and Canada:

Non-Aggregated Network: 50,282

Aggregated Networks: 12,751

Size Reduction: 74.64%

Our Network Aggregation Module reduces the number of networks within a selection of countries by first combining all the contiguous networks into the largest possible ranges and then processing that data to create an ACL with the fewest number of legal networks possible.

You can find out more about it by visiting our website at http://www.countryipblocks.net

If we can be of further help please let us know.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here