There are alternate solutions to achieve, but the result is pretty much the same and that is to completely deny or shutdown all packets coming from the attacker's host.
(1) Personally I would identify the attacker's layer 3 and layer 2 address. Firewall log is a good source to obtain the layer 3 address. For the layer 2 address, this can be done from the admin local machine using the arp -a command once the layer 3 address has been identified. Then on the switch or switches, identify the switch port where the attacker connects to using the Mac-Address Table. For instance, if his layer 2 address indicates he connects to switch port Gi0/20 and switch port Gi0/20 connects to D14 on the patch panel. Next action is shutdown switch port Gi0/20 immediately then identify where data port D14 is. Usually companies do not have a network map to show where data ports locate throughout the building, but assume there is one in this example, D14 would be 1st floor room 4 or room 14 depends on how the building is structured.
(2) The subnet mask for a single host is 255.255.255.25 5. A single host is probably never being use on a network. However, a single host is being use repeatedly in ACLs and NAT to permit or deny services.
ACL example:
ip access-list extended 100
permit icmp 10.0.0.100 255.255.255.25 5 10.0.0.1 255.255.255.25 5 echo
deny tcp 10.0.0.100 255.255.255.25 5 10.0.0.1 255.255.255.25 5 eq ssh
NAT example:
object network 192.168.1.100
host 192.168.1.100
!
nat (inside,outside) static 200.1.1.1 service tcp ssh ssh
access-list outside_access _in extended permit tcp host 200.1.1.1 object 192.168.1.100 eq ssh
Again this is one of the many solutions.
