December 2006
Intermediate to advanced
1188 pages
72h 8m
English
Content preview from Cisco IOS Cookbook, 2nd EditionBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Filtering by Source or Destination IP Address
Problem
You want to block packets to or from certain IP addresses.
Solution
You can use standard access-lists to block packets from specified IP source addresses:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list50deny hostRouter1(config)#10.2.2.2access-list50permit anyRouter1(config)#interfaceRouter1(config-if)#Serial0/1ip access-group50inRouter1(config-if)#exitRouter1(config)#endRouter1#
You can filter packets based on both the source and destination addresses with an extended access-list:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list150deny ip host10.2.2.2hostRouter1(config)#172.25.25.1access-list150permit ip any anyRouter1(config)#interfaceRouter1(config-if)#Serial0/1ip access-group150inRouter1(config-if)#exitRouter1(config)#endRouter1#
Discussion
The most obvious use for access-lists is traffic filtering. The two examples in this recipe both show how to use access control lists for filtering inbound packets. The first example uses the following access-list:
Router1(config)#access-list50deny hostRouter1(config)#10.2.2.2access-list50permit any
This is a numbered ACL with a value between 1 and 99, making it a standard access-list. Using a standard access like this allows you to filter only based on the source IP address. In the example, we have chosen to deny a single host ...