Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
5
Helpful
6
Replies

Need an access list

Russell Pearson
Level 1
Level 1

‎01-19-2011 02:48 PM - edited ‎03-04-2019 11:08 AM

Hey there,

I have an external ip address attacking my network.

What is a basic access list I can use to block it?

access-list 3 deny host x.x.x.x

int fa 0/3/0

access-class 3 in?

and then apply that to my external interface?

Thanks in advance.

Labels:
0 Helpful
6 Replies 6

Collin Clark
VIP Alumni
VIP Alumni

‎01-19-2011 03:55 PM

I would create a route for that host or subnet and send it to null0. What that will do is send any traffic from the source address to a black hole. It saves on resources since an ACL lookup isn't necessary. I like to use null0 for known spammers/attackers so when I look in the config I know that anything that points to null0 should probably stay. In an ACL you often forget why that deny was in there.

ip route 75.50.95.72 255.255.255.255 null0

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Collin Clark

‎01-19-2011 03:59 PM

Good point Collin.

0 Helpful

mgalazka
Level 1
Level 1
In response to Collin Clark

‎01-19-2011 06:10 PM

Collin,

Unless I am misunderstanding your post, isn't this just routing your return traffic to the "bad address" to null0?  The traffic sourcing from that address will still reach its destination (your machine), as traditional route lookups only check destination.  This may or may not be acceptable, but I just wanted to clarify.

Regards,

Matt

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to mgalazka

‎01-19-2011 08:21 PM

Matt

You are correct. The solution with the null 0 route will discard return traffic but will not prevent the original attach traffic from reaching its target.

To the original poster - your access list is a good start
access-list 3 deny host x.x.x.x

but if that is the entire access list then you will deny all traffic coming into that interface. The configured statement will deny some and the implicit deny at the bottom of every access list will deny everything else. To make that access list work you would need to add

access-list 3 permit any

HTH

Rick

HTH

Rick
0 Helpful

hobbe
Level 7
Level 7

‎01-20-2011 05:01 AM

Depending on what you want and how the agressor does it it might be a good idea to ask your isp to block the agressor.

that way the agressor does not tie up bandwith for your Internet line.

If the agressor keeps on attacking, if at all possible make contakt with the agressors ISP and ask them to shut him down.

if it is just a small incident and the agressor attacks from one ip address, then you can use Shun if you have a Cisco Firewall.

if you do not have a firewall ... Get one.

The ASA is a competent and small and depending on your needs can be quite ok priced.

if you want to block the agressor with an access-list in a router/switch it is all.

access-list access-list-name deny ip host IPx.x.x.x any log

access-list access-list-name permit whatever you want to permit log

remember that if you add an access-list where you have had none then it will block everything that is not explicit permit.
hth
Good luck

0 Helpful

Russell Pearson
Level 1
Level 1
In response to hobbe

‎01-20-2011 03:15 PM

Thanks everyone for your replies.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card