The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Blocking an IP address

Jump to solution

I don't have too much experience with access lists and such, and I'm not even sure that is the answer for my issue. Any help here would be greatly appreciated.

Router: Adtran 924e

Version: A2.07.00.E

Eth 0/1 is using 10.124.10.0/24

Someone has a device plugged into the network that is hard-coded to 10.124.10.2 (it's a wireless access point)

I simply want to stop this wireless access point from accessing the internet through the 924e.

There is currently no IP filtering/firewall enabled on this router.

Again, I appreciate any advice offered.

0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: Blocking an IP address

Jump to solution

Numerous ways to do this.

  1. Hunt it down and kill it.  Look up its MAC address from the ARP table.  "show ip arp" on the TA900 will give you its MAC address.   Then "show mac address-table" on your switch(es) will identify the port to which it is connected.  Use wire cutters or hammer as appropriate, or shut down the switch port.
  2. Null-route it.  Easiest because it takes one command and you don't need to enable the firewall.  Enter the command "ip route 10.124.10.2 255.255.255.255 null 0" from the command line or static route tab on GUI.  If it's malicious rather than accidental the culprit may change IP, and you wind up playing whack-a-mole. Escalate to method 1 above.
  3. Filter it. Enable the firewall, create an access-list allowing just that IP, and apply it as a discard policy.  This is more work but is the most scalable.
  4. Rick-roll it. Create a small web server with a home page of a video of Rick Astley singing "Never Gonna give You Up" as a default page. A Raspberry Pi should be sufficient. Put it on your network. Create a route-map and policy-route anything sourced from that IP to the IP of the web server.  Wait.  This is the most work, but ultimately the most fun. (Yes, I have actually done this in an extreme case.)

View solution in original post

3 Replies
jayh
Honored Contributor
Honored Contributor

Re: Blocking an IP address

Jump to solution

Numerous ways to do this.

  1. Hunt it down and kill it.  Look up its MAC address from the ARP table.  "show ip arp" on the TA900 will give you its MAC address.   Then "show mac address-table" on your switch(es) will identify the port to which it is connected.  Use wire cutters or hammer as appropriate, or shut down the switch port.
  2. Null-route it.  Easiest because it takes one command and you don't need to enable the firewall.  Enter the command "ip route 10.124.10.2 255.255.255.255 null 0" from the command line or static route tab on GUI.  If it's malicious rather than accidental the culprit may change IP, and you wind up playing whack-a-mole. Escalate to method 1 above.
  3. Filter it. Enable the firewall, create an access-list allowing just that IP, and apply it as a discard policy.  This is more work but is the most scalable.
  4. Rick-roll it. Create a small web server with a home page of a video of Rick Astley singing "Never Gonna give You Up" as a default page. A Raspberry Pi should be sufficient. Put it on your network. Create a route-map and policy-route anything sourced from that IP to the IP of the web server.  Wait.  This is the most work, but ultimately the most fun. (Yes, I have actually done this in an extreme case.)
Anonymous
Not applicable

Re: Blocking an IP address

Jump to solution

Thanks! I found you response quite entertaining. Think I will try option 2.

Mike Lacey

Sent from my Moto X on Verizon Wireless

Anonymous
Not applicable

Re: Blocking an IP address

Jump to solution

Option 4 have an example of what the route-map for the offending IP to the server would look like?