https://community.cisco.com/t5/network-security/how-to-create-a-access-list-on-core-switch-to-bloxk-all-internet/m-p/2325974#M1050597 <P>Hellp Everyone,</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website &amp; block the rest of them.</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">I want to allow the whole Intranet but few intranet websites also needs access to the internet.</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Can we create such Access-List with the above requirement.</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">I tried to create the ACL on the switch but it blocks the whole internet access.</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">i want to do it for a subnet not for a specific IP.</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Can someone help me in creating such access list.</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Thanks in Advance</P> Fri, 21 Feb 2020 12:57:57 GMT vishwasjaiswal 2020-02-21T12:57:57Z https://community.cisco.com/t5/network-security/how-to-create-a-access-list-on-core-switch-to-bloxk-all-internet/m-p/2325974#M1050597 <P>Hellp Everyone,</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website &amp; block the rest of them.</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">I want to allow the whole Intranet but few intranet websites also needs access to the internet.</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Can we create such Access-List with the above requirement.</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">I tried to create the ACL on the switch but it blocks the whole internet access.</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">i want to do it for a subnet not for a specific IP.</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Can someone help me in creating such access list.</P><P></P><P style="background-color: #fbfbde; border-collapse: collapse; font-size: 12px; list-style: none; font-family: Arial, verdana, sans-serif;">Thanks in Advance</P> Fri, 21 Feb 2020 12:57:57 GMT https://community.cisco.com/t5/network-security/how-to-create-a-access-list-on-core-switch-to-bloxk-all-internet/m-p/2325974#M1050597 vishwasjaiswal 2020-02-21T12:57:57Z https://community.cisco.com/t5/network-security/how-to-create-a-access-list-on-core-switch-to-bloxk-all-internet/m-p/2325975#M1050615 <HTML><HEAD></HEAD><BODY><P>The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.</P><P></P><P>In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.</P><P></P><P>The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites). </P><P></P><P>You would then use them as follows:</P><P></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">ip access-list extended main_acl</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;"> permit any object-group intranet any</SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;"> permit object-group allowed_servers object-group allowed_sites any</SPAN></P><P></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;">interface vlan <VLAN id=""></VLAN></SPAN></P><P style="padding-left: 30px;"><SPAN style="font-family: 'courier new', courier;"> ip access-group main_acl in</SPAN></P><P></P><P>More details on the syntax and examples can be found here:</P><P></P><P><A href="http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66" rel="nofollow">http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66</A></P></BODY></HTML> Sun, 18 Aug 2013 14:19:57 GMT https://community.cisco.com/t5/network-security/how-to-create-a-access-list-on-core-switch-to-bloxk-all-internet/m-p/2325975#M1050615 Marvin Rhoads 2013-08-18T14:19:57Z