×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

how to deny a network that is directly connected to me !!

Answered Question
Sep 3rd, 2012
User Badges:

hi ,,

i have a  topology shown below :


<====Gi0/1==Router 1 ==Gi0/2============>Swith=======router 2 ======internet

                                                                      |

                                                                      |

                                                                      |

                                                  server with ip 10.160.150.100/24


on router R1 interface Gi0/2 has  the ip 10.160.150.1/24


now i want to  prevent  the server from beign reached from interface Gi0/1 and allow the others .


on  Router 1 ,  i did a route to null0 but it still can be reached .

##ip route 10.160.150.100 255.255.255.255 null 0


but it still can be reached because the AD of static route is 1 and the diretly connected is 0

this mean that R1 wil  always forward the packets to netx hop Gi0/2


another solution but afraid to do it ,

i can use access list  and match the server and apply it to interface , but the router cpu will get high because on interface Gi0/2 thousands of clients are being serviced , and i think if i add acl to that interface , it will down my router .


as wt about finding a soution about my 1st scenario or any thing better ??




regards ,

Ahmd

Correct Answer by Alessio Andreoli about 4 years 11 months ago

Hi Ahmed,

i wouldn't be afraid of a si mple access-list applied on the g0/1 :


ip access-list 101 deny ip 192.168.10.0 (LAN) host 10.160.150.100

ip access-list 101 permit ip any any



interface g0/1

ip access-group 101 in

end

wr

!



Take Care

Alessio

      


PS: i would actually deny the entire subnet 10.160.150.0/xx if you can

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Alessio Andreoli Mon, 09/03/2012 - 08:02
User Badges:
  • Silver, 250 points or more

Hi Ahmed,

i wouldn't be afraid of a si mple access-list applied on the g0/1 :


ip access-list 101 deny ip 192.168.10.0 (LAN) host 10.160.150.100

ip access-list 101 permit ip any any



interface g0/1

ip access-group 101 in

end

wr

!



Take Care

Alessio

      


PS: i would actually deny the entire subnet 10.160.150.0/xx if you can

Actions

This Discussion