Recently we have been taksed buy C level executives to block all ip communication to Russia. They are about 65,000 (CIDR aggregated) public ip addresses in China.
I dont want to manage an ACL with 65,000 entries not to mention how much larger it gets to add other countries.
Any suggestions out there?
Check out the CountryIPBlock website. Here is a link to this cool feature where you put in a country and it can otput a Cisco router ACL for you https://www.countryipblocks.net/country_selection.php. About a month ago I was instructed to block China and Iran on our Internet facing 2851's. I was concerned about what this would do to latency but we have no issues. When I was doing my research I found that Cisco uses a more efficient algorithm as of (I believe) 12.3T. I forget the details but it appears to be similiar to the turbo ACL feature that the PIX firewalls used. Except it works by default (like current ASA's do) and you do not have to manually compile the ACL.
I just select the country, copy the text to notepad and you are ready to create the ACL on your router. I pasted the output for Russia in an Excel spreadsheet and got about 6500 lines.
Thank you K. I have see that tool and have been evaluating this option. We have concerns that the 100,000 ACL entries on the internet facing 3925's will be to much of a performance hit.
If it is just Russia it should be about 6500 lines. Blocking Iran and China was about 3900 lines. We implemented this on our 2851's and it cost about 1ms in latency.
At Country IP Blocks our response to the problems associated with large Access Control Lists was to design a Network Aggregation Module as an add-on to our membership plans.Using this module usually results in some very significant reductions in the size of Country Specific ACLs.
Examples (as of April 17, 2103 11:49 AM GMT -0700)
Aggregating networks in China reduces the overall list size by 25% (from 3,596 to 2,694 networks).
Russian aggregation reduces the list size to 5,906 networks.
Aggregation becomes more significant when you select multiple countries with more contiguous networks.
Combining networks in the United States and Canada:
Non-Aggregated Network: 50,282
Aggregated Networks: 12,751
Size Reduction: 74.64%
Our Network Aggregation Module reduces the number of networks within a selection of countries by first combining all the contiguous networks into the largest possible ranges and then processing that data to create an ACL with the fewest number of legal networks possible.
You can find out more about it by visiting our website at http://www.countryipblocks.net
If we can be of further help please let us know.