Cisco Config for deny access
Hello Experts,
We have a Cisco 2811 router which is connected with 4 different -different location routers (Cisco 2811) throng point 2 point link. I need block all traffic which is coming to R1 (Common Router) out of following LAN range.
e.g.
R1 (Common Router) LAN IP
Interface IP-Address
FastEthernet0/0 192.168.100.1
R2 (Office 1 Router) LAN IP
Interface IP-Address
FastEthernet0/0 192.168.1.1
R3 (Office 2 Router) LAN IP
Interface IP-Address
FastEthernet0/0 192.168.2.1
R4 (Office 3 Router) LAN IP
Interface IP-Address
FastEthernet0/0 192.168.3.1
R5 (Office 4 Router) LAN IP
Interface IP-Address
FastEthernet0/0 192.168.4.1
R1 (Common Router) Config:-
interface FastEthernet0/0
description LAN
ip address 192.168.100.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description P2P-1
ip address 10.11.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/0/0
description LAN Office-4
ip address 192.168.4.91 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1/0
description P2P-2
ip address 10.12.1.2 255.255.255.0
duplex full
speed 100
!
interface FastEthernet0/1/1
ip address 10.13.1.2 255.255.255.0
shutdown
duplex auto
speed auto
!
interface FastEthernet0/2/0
description P2P-3
ip address 10.14.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/2/1
description P2P-4
ip address 10.15.1.2 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0:0
description P2P Office-3
ip address 8.8.8.2 255.255.255.0
!
interface Serial0/3/1:0
no ip address
shutdown
!
!
router eigrp 100
maximum-paths 5
network 8.8.8.0 0.0.0.255
network 10.11.1.0 0.0.0.255
network 10.12.1.0 0.0.0.255
network 10.13.1.0 0.0.0.255
network 10.14.1.0 0.0.0.255
network 10.15.1.0 0.0.0.255
network 192.168.4.0
network 192.168.100.0
Please Suggest.
We have a Cisco 2811 router which is connected with 4 different -different location routers (Cisco 2811) throng point 2 point link. I need block all traffic which is coming to R1 (Common Router) out of following LAN range.
e.g.
R1 (Common Router) LAN IP
Interface IP-Address
FastEthernet0/0 192.168.100.1
R2 (Office 1 Router) LAN IP
Interface IP-Address
FastEthernet0/0 192.168.1.1
R3 (Office 2 Router) LAN IP
Interface IP-Address
FastEthernet0/0 192.168.2.1
R4 (Office 3 Router) LAN IP
Interface IP-Address
FastEthernet0/0 192.168.3.1
R5 (Office 4 Router) LAN IP
Interface IP-Address
FastEthernet0/0 192.168.4.1
R1 (Common Router) Config:-
interface FastEthernet0/0
description LAN
ip address 192.168.100.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description P2P-1
ip address 10.11.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/0/0
description LAN Office-4
ip address 192.168.4.91 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1/0
description P2P-2
ip address 10.12.1.2 255.255.255.0
duplex full
speed 100
!
interface FastEthernet0/1/1
ip address 10.13.1.2 255.255.255.0
shutdown
duplex auto
speed auto
!
interface FastEthernet0/2/0
description P2P-3
ip address 10.14.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/2/1
description P2P-4
ip address 10.15.1.2 255.255.255.0
duplex auto
speed auto
!
interface Serial0/3/0:0
description P2P Office-3
ip address 8.8.8.2 255.255.255.0
!
interface Serial0/3/1:0
no ip address
shutdown
!
!
router eigrp 100
maximum-paths 5
network 8.8.8.0 0.0.0.255
network 10.11.1.0 0.0.0.255
network 10.12.1.0 0.0.0.255
network 10.13.1.0 0.0.0.255
network 10.14.1.0 0.0.0.255
network 10.15.1.0 0.0.0.255
network 192.168.4.0
network 192.168.100.0
Please Suggest.
ASKER
firewall & other routers are connected behind of these networks:
192.168.1.1
192.168.2.1
192.168.3.1
192.168.4.1
so i want to deny that traffic which is passing through firewalls or other routers to R1 (Common Router) 92.168.100.1 using following networks:
192.168.1.1
192.168.2.1
192.168.3.1
192.168.4.1
192.168.1.1
192.168.2.1
192.168.3.1
192.168.4.1
so i want to deny that traffic which is passing through firewalls or other routers to R1 (Common Router) 92.168.100.1 using following networks:
192.168.1.1
192.168.2.1
192.168.3.1
192.168.4.1
Okay, do you manage these routers:
192.168.1.1
192.168.2.1
192.168.3.1
192.168.4.1
192.168.1.1
192.168.2.1
192.168.3.1
192.168.4.1
ASKER
only one router i managed 192.168.1.1 others don't.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This config will implement on R1 (Common Router) ? need any type of changes on other location routers ?
Yes, on R1. It would be better to implement on the other routers instead but if you don't have administrative control/access to those routers then it will not be secured.
ASKER
Thanks Atlas
No worries. Hope it gets you squared away. Cheers
Hi,
You can use EIGRP Route filterring by using Prefix list as well. but here Two more things you should add:
1. Update time for EIGRP:
- Hello interval timer: Hello interval is the rate at which EIGRP sends hello packets. The command ip hello-interval eigrp can be used to set the hello interval time manually.
- Hold timer: This is the amount of time that a router will consider a neighbor alive without receiving hello packets. The hold time is typically three times the hello interval. You can adjust the hold time with the ip hold-time eigrp command.
2. Authentication:
Because the route summary send in HEX decimal, you need to secure your route with key and hash. here quick sample:
Device(config)# interface FastEthernet0/1
Device(config-if)# ip authentication mode eigrp 1 md5
Device(config-if)# ip authentication key-chain eigrp 1 key1
Device(config-if)# exit
Device(config)# key chain key1
Device(config-keychain)# key 1
Device(config-keychain-key
Device(config-keychain-key
Device(config-keychain-key
Device(config-keychain-key
Device(config-keychain)# key 2
Device(config-keychain-key
Device(config-keychain-key
Device(config-keychain-key
Apply the authentication to the outside interface that face another router or branch router, you can use use diffrent keys as well, for example betewwen R1 - R2 Key1, and R1 -R3 Key2. depend on your company policy.
HTH
Thanks
You can use EIGRP Route filterring by using Prefix list as well. but here Two more things you should add:
1. Update time for EIGRP:
- Hello interval timer: Hello interval is the rate at which EIGRP sends hello packets. The command ip hello-interval eigrp can be used to set the hello interval time manually.
- Hold timer: This is the amount of time that a router will consider a neighbor alive without receiving hello packets. The hold time is typically three times the hello interval. You can adjust the hold time with the ip hold-time eigrp command.
2. Authentication:
Because the route summary send in HEX decimal, you need to secure your route with key and hash. here quick sample:
Device(config)# interface FastEthernet0/1
Device(config-if)# ip authentication mode eigrp 1 md5
Device(config-if)# ip authentication key-chain eigrp 1 key1
Device(config-if)# exit
Device(config)# key chain key1
Device(config-keychain)# key 1
Device(config-keychain-key
Device(config-keychain-key
Device(config-keychain-key
Device(config-keychain-key
Device(config-keychain)# key 2
Device(config-keychain-key
Device(config-keychain-key
Device(config-keychain-key
Apply the authentication to the outside interface that face another router or branch router, you can use use diffrent keys as well, for example betewwen R1 - R2 Key1, and R1 -R3 Key2. depend on your company policy.
HTH
Thanks
R1 fa0/0 - 192.168.100.1
R1 fa0/0 - 10.11.1.2
R1 fa0/0/0 - 192.168.4.91
R1 fa0/1/0 - 10.12.1.2
R1 fa0/1/1 - 10.13.1.2
R1 fa0/2/0 - 10.14.1.2
R1 fa0/2/1 - 10.15.1.2
R1 Serial0/3/0:0 -
From the following networks:
192.168.1.1
192.168.2.1
192.168.3.1
192.168.4.1
Also, do you manage the routers that you are attempting to block traffic from?