05-05-2008 02:18 PM - edited 02-20-2020 09:40 PM
I see people asking if there are premade ACL's to block Chinese and Russian nets from their edge routers. Since I spent so much time creating entries for them based on information received from http://www.ipdeny.com/ipblocks/ i decided to share them. They are in the attached Word Docs.
There are alot of entires but since it is in a standard ACL it should not tax your routers too greatly.
Sean Odom
Sybex/Wiley Cisco Author
05-05-2008 03:09 PM
inline IPS appliances are also good for this sort of thing, especially since they already inspect every packet.
05-07-2008 06:26 AM
Well, I'd rather not tax the IPS even further for something that the edge router should be capable taking care of. Especially since the source of the traffic should be denied at the closest managed point.
If you do not want this traffic coming inbound, closest for some would be the edge router. Others may only have their firewall as the closest manageable point.
Suggestion to those that do not manage their edge router would be to compile a list such as the one listed above. Then send it to your provider requesting they place it on this router. Of course this may become a double edge sword in a sense. If there is legit traffic from one of these source IP addresses that you identify down the road, it might be a hassle to get the block resolved.
Or, you can also apply these right there on your firewall as well.
Thank you for providing this list!
12-18-2016 07:42 AM
thanks. i'm going trough the document but i can't understand why you don't summarize. :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide