Solved

Cisco Block Single IP Address

Posted on 2014-11-19
9
120 Views
Last Modified: 2014-12-03
Hello Experts,

We have MPLS VPN.

We often have one or two bandwidth hogs on the link.

Can someone please show me the best way to quickly block a single ip address while at the same time allow all other traffic?

Cheers

Carlton
0
Comment
Question by:cpatte7372
  • 5
  • 3
9 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40451822
deny ip any host single_ip_adress
permit ip any any

You can do it also using OBJECT-GROUP (if your IOS supports this feature)

object-group network BLOCKED-HOSTS
  host 11.22.33.44
  11.22.33.0 255.255.255.0
   
ip access-list extended GUEST_access_in
 deny ip any object-group BLOCKED-HOSTS
 permit ip any any


Advantage of this model is that you only add host or subnet to the group object, you don't have to type each entry in your ACL list.
0
 

Author Comment

by:cpatte7372
ID: 40451830
Matt,

I don't have that option:

router_name(config)#access-list 60 deny ip ?
  A.B.C.D  Wildcard bits
  log      Log matches against this entry
  <cr>
0
 

Author Comment

by:cpatte7372
ID: 40451851
Matt,

The 'Object Group' sounds ideal.

is this configured under global configuration mode?

Cheers
0
 
LVL 6

Expert Comment

by:Matt
ID: 40451855
Which version of IOS do you have?

Show ver


Object group can be done:

CISCO#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
CISCO(config)#object-group ?
  network  network group
  service  service group
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:cpatte7372
ID: 40451868
# show ver
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Wed 13-Aug-08 15:37 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

jmasia-panki02 uptime is 10 weeks, 3 days, 1 hour, 15 minutes
System returned to ROM by power-on
System restarted at 09:55:45 BST Sun Sep 7 2014
System image file is "flash:c1841-advsecurityk9-mz.124-15.T7.bin"
0
 
LVL 6

Expert Comment

by:Matt
ID: 40451874
Can you upgrade to this version:

c1841-advsecurityk9-mz.124-24.T8.bin

I have this version on C1812 and it supports object-group.
0
 

Author Comment

by:cpatte7372
ID: 40451950
Unfortunately not at the moment as its in production
0
 
LVL 18

Accepted Solution

by:
Akinsd earned 500 total points
ID: 40452391
It looks like you're using standard acl as opposed to extended  that Matt gave as example.

I'm a little confused though
You mentioned the IP hogs traffic and you want to block it completely or do you intend to constrain it instead. If the latter, then you should consider QoS. Auto QoS may be sufficient in your situation.
If you however just want to block access completely, then an extended acl would suffice, preferrably, a named acl
0
 

Author Closing Comment

by:cpatte7372
ID: 40479588
Cheers
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now