• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 268
  • Last Modified:

SIMPLE ACCESS LIST ON A ROUTER

Hi Experts,

i HAVE A CISCO 2621 ROUTER AND I SIMPLY NEED TO BLOCK ONE OF MY COMPUTERS WHICH I HAVE THE IP ADDRESS AND MAC ADDRESS FOR, FROM ACCESSING THE INTERNET, IN PARTICULAR YAHOO AS HE IS CONSTANTLY ACCESSING IT WHEN SUPPOSEDLY WORKING. ANY HELP WOULD BE GREATLY APPRECIATED.
0
JohnBannister
Asked:
JohnBannister
  • 3
  • 3
  • 2
5 Solutions
 
pjtemplinCommented:
access-list 2101 permit ip host x.x.x.x x.x.x.y 0.0.0.z
access-list 2101 deny ip host x.x.x.x any
access-list 2101 permit ip any any
int <wherever PC sits>
ip access-group 2101 in

x.x.x.x would be the PC address.
x.x.x.y would be the NETWORK (lowest) address of the LAN subnet.  
0.0.0.z would be the inverse of the subnet mask for the PC's NIC.  (if mask is 255.255.255.240, z would be 15).

0
 
Easy7Commented:
www.yahoo.com is hosted on a number of ip addresses a dns lookup returns 8 address at my site. Are you trying to block access to www.yahoo.com or are you trying to block access to yahoo instant messenger?
0
 
JohnBannisterAuthor Commented:
Hi Guys,  sorry i am a bit confused by the "inverse of the subnet mask and the z.

to clear things up, yes i am trying to block a single ip address on our LAN 172.24.174.43 from getting www.yahoo.com, or .co.uk for that matter.

our mask is 255.255.255.0

can you add the details i have just given to the access list above so i dont screw it up please /

thanks fellas
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
pjtemplinCommented:
A few problems here:

www.yahoo.com can be dynamically assigned.  Writing an access list to block those addresses could mean you're blocking yahoo today, and someone else tomorrow.

Likewise, .co.uk is a domain name, and doesn't directly translate to an IP address range.

In your original post, you mentioned you wanted to block all Internet.  That will be easier to accomplish accurately.

access-list 2101 permit ip host 172.24.174.43 172.24.174.0 0.0.0.255
access-list 2101 deny ip host 172.24.174.43 any
access-list 2101 permit ip any any
0
 
JohnBannisterAuthor Commented:
Thanks for your help so far, i will take your advice and try to block him from internet as a whole, however he may discover that by changing ip address he can get back on, can i also trouble you for the acl that would block him by MAC adress assuming his MAC address was 123456789


kindest regards
0
 
pjtemplinCommented:
I don't think a MAC ACL will work (but I'm no expert).  I think MAC ACLs are restricted to only allowing or denying MAC or MAC-to-MAC traffic; you need IP granularity to achieve your goals.
0
 
Easy7Commented:
How about using a host file on the client machine and setting yahoo.com to point to a bogus address on your internal network.  I know this isn't a routing solution, but why block the traffic at a router if you can stop it at the host?
0
 
JohnBannisterAuthor Commented:
Hi, tried the hosts file, that was my original effort but as we point to the internet via a proxy which is off site, the hosts file seems to be ignored and the clients get the www addresses anyway.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now