Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

prevent traffic

I want to prevent traffic troug my routers to unknown destinations... What is the best solutions to solve this...



Re: prevent traffic

The most common way to limit traffic into or out of Cisco devices is thru the use of Access Control lists. See for information on how to do this.

Otherwise here are Powerpoint presentations by Cisco on Securing the LAN with Catalyst 3550 and 2950 Series Switches:



New Member

Re: prevent traffic

This is not what I was looking for. Fisrt, I dont know what traffic that I is comming. I also dont know the destination of the packets. What I want is denying packets that can bee spoofing attempts and network mapping attempts..

Re: prevent traffic

Perhaps you could explain your situation a bit clearer: what device are you working with and what traffic (L2/L3) do you want to manage?

By using ACLs you can determine exactly what traffic that comes in, or goes out - this way you can deny any packets that are unknown. Unless, of course, the spoofing attemps are comign from your our IPs.

You can use also MAC Access Lists and VLAN Access Maps to restrict user access. See how this is done for the 3550 series switch here:

There is a very good whitepaper on SAFE Layer 2 Security In-depth that covers these and other options along with Security best-practices available here:



New Member

Re: prevent traffic


I have figured out this, how to drop traffic to unknown destination... This is done with policy routing with a match againts the routiung table... the key here is to use the keyword default in the policy map to have it look for the destination in the routing table...

Here is how this can be achived :

interface null0

no ip unreachable

interface e0/0

ip policy route-map black-hole

route-map back-hole

set ip default interface null0

So, this will solve this.. But my next challenge is then to prevent port mapping on an interface... This should be done on the same interface as this policy map is going.

CreatePlease to create content