Cisco Block Single IP Address

Hello Experts,

We have MPLS VPN.

We often have one or two bandwidth hogs on the link.

Can someone please show me the best way to quickly block a single ip address while at the same time allow all other traffic?

Cheers

Carlton
cpatte7372Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MattCommented:
deny ip any host single_ip_adress
permit ip any any

You can do it also using OBJECT-GROUP (if your IOS supports this feature)

object-group network BLOCKED-HOSTS
  host 11.22.33.44
  11.22.33.0 255.255.255.0
   
ip access-list extended GUEST_access_in
 deny ip any object-group BLOCKED-HOSTS
 permit ip any any


Advantage of this model is that you only add host or subnet to the group object, you don't have to type each entry in your ACL list.
0
cpatte7372Author Commented:
Matt,

I don't have that option:

router_name(config)#access-list 60 deny ip ?
  A.B.C.D  Wildcard bits
  log      Log matches against this entry
  <cr>
0
cpatte7372Author Commented:
Matt,

The 'Object Group' sounds ideal.

is this configured under global configuration mode?

Cheers
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

MattCommented:
Which version of IOS do you have?

Show ver


Object group can be done:

CISCO#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
CISCO(config)#object-group ?
  network  network group
  service  service group
0
cpatte7372Author Commented:
# show ver
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Wed 13-Aug-08 15:37 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

jmasia-panki02 uptime is 10 weeks, 3 days, 1 hour, 15 minutes
System returned to ROM by power-on
System restarted at 09:55:45 BST Sun Sep 7 2014
System image file is "flash:c1841-advsecurityk9-mz.124-15.T7.bin"
0
MattCommented:
Can you upgrade to this version:

c1841-advsecurityk9-mz.124-24.T8.bin

I have this version on C1812 and it supports object-group.
0
cpatte7372Author Commented:
Unfortunately not at the moment as its in production
0
AkinsdNetwork AdministratorCommented:
It looks like you're using standard acl as opposed to extended  that Matt gave as example.

I'm a little confused though
You mentioned the IP hogs traffic and you want to block it completely or do you intend to constrain it instead. If the latter, then you should consider QoS. Auto QoS may be sufficient in your situation.
If you however just want to block access completely, then an extended acl would suffice, preferrably, a named acl
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cpatte7372Author Commented:
Cheers
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.