?
Solved

SIMPLE ACCESS LIST ON A ROUTER

Posted on 2006-05-22
8
Medium Priority
?
266 Views
Last Modified: 2013-11-29
Hi Experts,

i HAVE A CISCO 2621 ROUTER AND I SIMPLY NEED TO BLOCK ONE OF MY COMPUTERS WHICH I HAVE THE IP ADDRESS AND MAC ADDRESS FOR, FROM ACCESSING THE INTERNET, IN PARTICULAR YAHOO AS HE IS CONSTANTLY ACCESSING IT WHEN SUPPOSEDLY WORKING. ANY HELP WOULD BE GREATLY APPRECIATED.
0
Comment
Question by:JohnBannister
  • 3
  • 3
  • 2
8 Comments
 
LVL 12

Assisted Solution

by:pjtemplin
pjtemplin earned 1200 total points
ID: 16734683
access-list 2101 permit ip host x.x.x.x x.x.x.y 0.0.0.z
access-list 2101 deny ip host x.x.x.x any
access-list 2101 permit ip any any
int <wherever PC sits>
ip access-group 2101 in

x.x.x.x would be the PC address.
x.x.x.y would be the NETWORK (lowest) address of the LAN subnet.  
0.0.0.z would be the inverse of the subnet mask for the PC's NIC.  (if mask is 255.255.255.240, z would be 15).

0
 
LVL 1

Assisted Solution

by:Easy7
Easy7 earned 800 total points
ID: 16735734
www.yahoo.com is hosted on a number of ip addresses a dns lookup returns 8 address at my site. Are you trying to block access to www.yahoo.com or are you trying to block access to yahoo instant messenger?
0
 

Author Comment

by:JohnBannister
ID: 16738836
Hi Guys,  sorry i am a bit confused by the "inverse of the subnet mask and the z.

to clear things up, yes i am trying to block a single ip address on our LAN 172.24.174.43 from getting www.yahoo.com, or .co.uk for that matter.

our mask is 255.255.255.0

can you add the details i have just given to the access list above so i dont screw it up please /

thanks fellas
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 12

Accepted Solution

by:
pjtemplin earned 1200 total points
ID: 16739019
A few problems here:

www.yahoo.com can be dynamically assigned.  Writing an access list to block those addresses could mean you're blocking yahoo today, and someone else tomorrow.

Likewise, .co.uk is a domain name, and doesn't directly translate to an IP address range.

In your original post, you mentioned you wanted to block all Internet.  That will be easier to accomplish accurately.

access-list 2101 permit ip host 172.24.174.43 172.24.174.0 0.0.0.255
access-list 2101 deny ip host 172.24.174.43 any
access-list 2101 permit ip any any
0
 

Author Comment

by:JohnBannister
ID: 16740713
Thanks for your help so far, i will take your advice and try to block him from internet as a whole, however he may discover that by changing ip address he can get back on, can i also trouble you for the acl that would block him by MAC adress assuming his MAC address was 123456789


kindest regards
0
 
LVL 12

Assisted Solution

by:pjtemplin
pjtemplin earned 1200 total points
ID: 16741990
I don't think a MAC ACL will work (but I'm no expert).  I think MAC ACLs are restricted to only allowing or denying MAC or MAC-to-MAC traffic; you need IP granularity to achieve your goals.
0
 
LVL 1

Assisted Solution

by:Easy7
Easy7 earned 800 total points
ID: 16742304
How about using a host file on the client machine and setting yahoo.com to point to a bogus address on your internal network.  I know this isn't a routing solution, but why block the traffic at a router if you can stop it at the host?
0
 

Author Comment

by:JohnBannister
ID: 16744192
Hi, tried the hosts file, that was my original effort but as we point to the internet via a proxy which is off site, the hosts file seems to be ignored and the clients get the www addresses anyway.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question