?
Solved

Cisco Block Single IP Address

Posted on 2014-11-19
9
Medium Priority
?
129 Views
Last Modified: 2014-12-03
Hello Experts,

We have MPLS VPN.

We often have one or two bandwidth hogs on the link.

Can someone please show me the best way to quickly block a single ip address while at the same time allow all other traffic?

Cheers

Carlton
0
Comment
Question by:cpatte7372
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 6

Expert Comment

by:Matt
ID: 40451822
deny ip any host single_ip_adress
permit ip any any

You can do it also using OBJECT-GROUP (if your IOS supports this feature)

object-group network BLOCKED-HOSTS
  host 11.22.33.44
  11.22.33.0 255.255.255.0
   
ip access-list extended GUEST_access_in
 deny ip any object-group BLOCKED-HOSTS
 permit ip any any


Advantage of this model is that you only add host or subnet to the group object, you don't have to type each entry in your ACL list.
0
 

Author Comment

by:cpatte7372
ID: 40451830
Matt,

I don't have that option:

router_name(config)#access-list 60 deny ip ?
  A.B.C.D  Wildcard bits
  log      Log matches against this entry
  <cr>
0
 

Author Comment

by:cpatte7372
ID: 40451851
Matt,

The 'Object Group' sounds ideal.

is this configured under global configuration mode?

Cheers
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 6

Expert Comment

by:Matt
ID: 40451855
Which version of IOS do you have?

Show ver


Object group can be done:

CISCO#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
CISCO(config)#object-group ?
  network  network group
  service  service group
0
 

Author Comment

by:cpatte7372
ID: 40451868
# show ver
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Wed 13-Aug-08 15:37 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

jmasia-panki02 uptime is 10 weeks, 3 days, 1 hour, 15 minutes
System returned to ROM by power-on
System restarted at 09:55:45 BST Sun Sep 7 2014
System image file is "flash:c1841-advsecurityk9-mz.124-15.T7.bin"
0
 
LVL 6

Expert Comment

by:Matt
ID: 40451874
Can you upgrade to this version:

c1841-advsecurityk9-mz.124-24.T8.bin

I have this version on C1812 and it supports object-group.
0
 

Author Comment

by:cpatte7372
ID: 40451950
Unfortunately not at the moment as its in production
0
 
LVL 18

Accepted Solution

by:
Akinsd earned 2000 total points
ID: 40452391
It looks like you're using standard acl as opposed to extended  that Matt gave as example.

I'm a little confused though
You mentioned the IP hogs traffic and you want to block it completely or do you intend to constrain it instead. If the latter, then you should consider QoS. Auto QoS may be sufficient in your situation.
If you however just want to block access completely, then an extended acl would suffice, preferrably, a named acl
0
 

Author Closing Comment

by:cpatte7372
ID: 40479588
Cheers
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question