Block Teredo with cisco router and ip nbar

It is getting pretty annoying. You setup your firewall, your router and you make everything secure. Everything?

I just noticed strange paket going over the ether. after investigating a little bit I found that thast pakets are caused by windows teredo tunnels. of cource the interfaces can be deactivated on each machine.


searching the web and trying to block certain protocols (41) or specific portions of the internet or ports doesn’t help.

so I deceided to take action on the router and genered a policy-map which is fed by a classmap.

The policy-map is bound to an interface than. Sounds complex, and well it is. but for that easy task it is okay.


class-map match-any BLOCK-OUT
 match protocol teredo-ipv6-tunneled
policy-map DROP-BLOCKED
 class BLOCK-OUT



interface Dialer0
 description DIALUP
 ip address negotiated
 ip access-group PROTECT-IN-V4 in
 no ip proxy-arp
 ip mtu 1492
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ipv6 address dhcp

 no cdp enable


Done … no teredo anyhmore. And ip nbar activated.



Blocking peer-to-peer using Cisco IOS NBAR

Leave a Reply

Your email address will not be published. Required fields are marked *