Solved: ACL Creation Via Web Interface

Ibraheem Mirza · ‎11-14-2017

Hey,

I am using small business Cisco SG300-28 switch. I have a scenario where almost 25 computers are connected to a SG300-28 switch, it's a plug and play environment. Now, I want to block youtube, facebook on specific (or all) ports by creating IPv4 ACL. I am bit confused as I am getting no idea of host IP, if Host IP means IP of facebook then how can i create ACL because there is a wide range of IP against facebook.

Remember, I don't use CLI for switch management, I ONLY USE WEB INTERFACE.

Thanks in advance for your co-operation.

Seb Rupik · ‎11-14-2017

Hi there,

Unless you explicitly list every destination IP and deny that traffic you are not going to be able to achieve this on a SG300.

It is probably easier to blackhole/ redirect DNS lookups for those domains, but you would need to be control of the DNS server which is specified in the DHCP leases you are issuing on the LAN.

cheers,

Seb.

View solution in original post

Seb Rupik · ‎11-14-2017

Hi there,

Unless you explicitly list every destination IP and deny that traffic you are not going to be able to achieve this on a SG300.

It is probably easier to blackhole/ redirect DNS lookups for those domains, but you would need to be control of the DNS server which is specified in the DHCP leases you are issuing on the LAN.

cheers,

Seb.

Ibraheem Mirza · ‎11-15-2017

thank you for you reply Seb, could you please guide me more how to control DNS and "blackholed"/ deceive the IP for specific site, my network shows 11-22 devices which leases DHCP.

Seb Rupik · ‎11-15-2017

OK, and for those DHCP clients, the servers listed in the DNS option, are they ones you control? If so, what are they running?

Ibraheem Mirza · ‎11-15-2017

Seb thanks once again, lemme explain you once again my network scenario, I haven't made any proper VLAN's. WAN plugged into cisco switch, DNS server IP is 192.168.1.1, further more my WAN device shows DHCP leases of 11-12 devices, these devices include 6 PC's, 1 cisco switch, 1 apple time capsule, one android device, 1 tp link device. I actually didn't how and why these devices are leasing DHCP. Furthermore, these all devices are on same network (192.168.1.1-254).

Seb Rupik · ‎11-15-2017

So is 192.168.1.1 an interface on your Cisco router? If so, then we can assume you router is running as a DNS server. Try the following:

!
ip dns server
ip name-server 8.8.8.8
ip host www.facebook.com 127.0.0.1
!
ip dns primary facebook.com soa ns.facebook.com mb.facebook.com 
!

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_dns/configuration/15-mt/dns-15-mt-book/dns-config-dns.html

I don't have a device t hand to test this, so no guarantees that it will work.

cheers,

Seb.

Ibraheem Mirza · ‎11-15-2017

yes, switch is running as DNSserver, you got it absolute right. But thing is could you please guide me for Web Interface.

Seb Rupik · ‎11-15-2017

I'm not familiar with the IOS GUI. Typically it only offers a very small subset of features and I'd be surprised if you could configure DNS server/ record options using it.