Solved

Cisco Block Single IP Address

Posted on 2014-11-19
9
123 Views
Last Modified: 2014-12-03
Hello Experts,

We have MPLS VPN.

We often have one or two bandwidth hogs on the link.

Can someone please show me the best way to quickly block a single ip address while at the same time allow all other traffic?

Cheers

Carlton
0
Comment
Question by:cpatte7372
  • 5
  • 3
9 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40451822
deny ip any host single_ip_adress
permit ip any any

You can do it also using OBJECT-GROUP (if your IOS supports this feature)

object-group network BLOCKED-HOSTS
  host 11.22.33.44
  11.22.33.0 255.255.255.0
   
ip access-list extended GUEST_access_in
 deny ip any object-group BLOCKED-HOSTS
 permit ip any any


Advantage of this model is that you only add host or subnet to the group object, you don't have to type each entry in your ACL list.
0
 

Author Comment

by:cpatte7372
ID: 40451830
Matt,

I don't have that option:

router_name(config)#access-list 60 deny ip ?
  A.B.C.D  Wildcard bits
  log      Log matches against this entry
  <cr>
0
 

Author Comment

by:cpatte7372
ID: 40451851
Matt,

The 'Object Group' sounds ideal.

is this configured under global configuration mode?

Cheers
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 6

Expert Comment

by:Matt
ID: 40451855
Which version of IOS do you have?

Show ver


Object group can be done:

CISCO#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
CISCO(config)#object-group ?
  network  network group
  service  service group
0
 

Author Comment

by:cpatte7372
ID: 40451868
# show ver
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Wed 13-Aug-08 15:37 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

jmasia-panki02 uptime is 10 weeks, 3 days, 1 hour, 15 minutes
System returned to ROM by power-on
System restarted at 09:55:45 BST Sun Sep 7 2014
System image file is "flash:c1841-advsecurityk9-mz.124-15.T7.bin"
0
 
LVL 6

Expert Comment

by:Matt
ID: 40451874
Can you upgrade to this version:

c1841-advsecurityk9-mz.124-24.T8.bin

I have this version on C1812 and it supports object-group.
0
 

Author Comment

by:cpatte7372
ID: 40451950
Unfortunately not at the moment as its in production
0
 
LVL 18

Accepted Solution

by:
Akinsd earned 500 total points
ID: 40452391
It looks like you're using standard acl as opposed to extended  that Matt gave as example.

I'm a little confused though
You mentioned the IP hogs traffic and you want to block it completely or do you intend to constrain it instead. If the latter, then you should consider QoS. Auto QoS may be sufficient in your situation.
If you however just want to block access completely, then an extended acl would suffice, preferrably, a named acl
0
 

Author Closing Comment

by:cpatte7372
ID: 40479588
Cheers
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question