Solved

Cisco Block Single IP Address

Posted on 2014-11-19
9
124 Views
Last Modified: 2014-12-03
Hello Experts,

We have MPLS VPN.

We often have one or two bandwidth hogs on the link.

Can someone please show me the best way to quickly block a single ip address while at the same time allow all other traffic?

Cheers

Carlton
0
Comment
Question by:cpatte7372
  • 5
  • 3
9 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40451822
deny ip any host single_ip_adress
permit ip any any

You can do it also using OBJECT-GROUP (if your IOS supports this feature)

object-group network BLOCKED-HOSTS
  host 11.22.33.44
  11.22.33.0 255.255.255.0
   
ip access-list extended GUEST_access_in
 deny ip any object-group BLOCKED-HOSTS
 permit ip any any


Advantage of this model is that you only add host or subnet to the group object, you don't have to type each entry in your ACL list.
0
 

Author Comment

by:cpatte7372
ID: 40451830
Matt,

I don't have that option:

router_name(config)#access-list 60 deny ip ?
  A.B.C.D  Wildcard bits
  log      Log matches against this entry
  <cr>
0
 

Author Comment

by:cpatte7372
ID: 40451851
Matt,

The 'Object Group' sounds ideal.

is this configured under global configuration mode?

Cheers
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 
LVL 6

Expert Comment

by:Matt
ID: 40451855
Which version of IOS do you have?

Show ver


Object group can be done:

CISCO#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
CISCO(config)#object-group ?
  network  network group
  service  service group
0
 

Author Comment

by:cpatte7372
ID: 40451868
# show ver
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Wed 13-Aug-08 15:37 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

jmasia-panki02 uptime is 10 weeks, 3 days, 1 hour, 15 minutes
System returned to ROM by power-on
System restarted at 09:55:45 BST Sun Sep 7 2014
System image file is "flash:c1841-advsecurityk9-mz.124-15.T7.bin"
0
 
LVL 6

Expert Comment

by:Matt
ID: 40451874
Can you upgrade to this version:

c1841-advsecurityk9-mz.124-24.T8.bin

I have this version on C1812 and it supports object-group.
0
 

Author Comment

by:cpatte7372
ID: 40451950
Unfortunately not at the moment as its in production
0
 
LVL 18

Accepted Solution

by:
Akinsd earned 500 total points
ID: 40452391
It looks like you're using standard acl as opposed to extended  that Matt gave as example.

I'm a little confused though
You mentioned the IP hogs traffic and you want to block it completely or do you intend to constrain it instead. If the latter, then you should consider QoS. Auto QoS may be sufficient in your situation.
If you however just want to block access completely, then an extended acl would suffice, preferrably, a named acl
0
 

Author Closing Comment

by:cpatte7372
ID: 40479588
Cheers
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Router DMZ 5 90
Routing 2 local networks together 8 113
Cisco ASA 5512-X Active/Standby HA 4 27
Deny permission ACL 16 26
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question