cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1116
Views
10
Helpful
9
Replies

block HTTP traffic for a host has dynamic ip

welcommen
Level 1
Level 1

i want to block http traffic for one computer. this computer use dynamic ip address, it connect to a 2950 switch.i cannot use ip access-list because this host uses dynamic ip address, but mac access-list doesn't support block HTTP, mac access-list only can block whole ip traffic.

can you guys tell em how to solve this problem, thank you

9 Replies 9

NEREIDA MAYORAL
Level 1
Level 1

You can try with extended ACL applied direction 'in' in the port in which the PC is connected.

access-list 127 deny tcp any any eq 80

access-list 127 permit ip any any

interface fast0/5

ip access-group 127 in

Regards.

Hello,

this ACL would block every host connected to port fa0/5, and if this a router interface I would guess more than 1 host is connected to it.

So, I curious about this solution too, if someone can respond this, I would be glad to know too.

Vlad

vladrac-ccna
Level 5
Level 5

Hello again,

did you consider using CAR to drop this host packets?

You could set a rate-limit based on MAC and on a new line you could match based on traffic to port 80 and drop the packets. I'm not a QOS expert but I believe would be something like:

!create and access-list that will match the MAC

(config)#access-list rate-limit 100 0000.0000.0000

!create and ext ACL that will match the http traffic

(config)#access-list 101 permit tcp any any eq 80

!go to the interface where this host is connected to

(config)#interface ethernet 0

! now you match the MAC address with any traffic rate

(config-if)#rate-limit input rate-limit 100 8000 1500 2000 conform-action continue exceed-action continue

! and here you match the traffic for port 80 and drop the packtes

(config-if)#rate-limit input access-group 101 8000 1500 2000 conform-action drop exceed-action drop

Please let me know if this will suffice, really curious on this one.

Thanks,

vlad

thank you guys help me. i think i didn;t explain it very well, this switch port connect to 10 hosts. so i really problem is how i can only block one host to access http, others still can access http.

thanks lot

Hello,

I guess that probably I didnt explain it very well,

with those lines you can filter based on the MAC address and tcp port 80.

So , you create a list matching the host you need and that CAR configuration will do the job.

Vlad

thank you guys help me. i think i didn;t explain it very well, this switch port connect to 10 hosts. so i really problem is how i can only block one host to access http, others still can access http.

thanks lot

Hi

I Have to know some thing?your network get a dynamic ip adddress from an Dhcp server[microsoft]if so do a reservation in the DHCP pool based on current ip address of the host that you will try to block the http access; than creat an acl an apply it to the relevant interface[direction in] and it will work properly.

Ali

Hello again,

Could you tell me if you tried the configs Ive posted before?

If you give us more information I can give you the exact configs you'll need.

But again, you could create a list that would mac just the host you want and then match on the traffic to port 80 (this would only be valid for the host with the MAC you put on the first list).

So, you could block a single host using dhcp IP going to access http.

Please let me know!

Vlad

thank you guys, i let server guy reserver ip add for this host, then everything is fine. thank you help

Review Cisco Networking for a $25 gift card