cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

CISCO SWITCHES FOR SMALL and MEDIUM BUSINESS

Introducing the next generation of Cisco Small and Medium Business Switches. Cisco is refreshing its SMB Switch portfolio. Click here  to learn more.


2703
Views
0
Helpful
8
Replies
Raheel Qamar
Beginner

SG300-52 ACL help need

Hello,

I am using SG300-52 switch I need to know can I block some sites for specific IP / MAC through this switch?

Please help me if someone can do it.

4 ACCEPTED SOLUTIONS

Accepted Solutions
Tom Watts
Advisor

Hi Raheel,

The first consideration is the access list is inbound only so if you want to block a website, the ACL must be applied on a port connecting toward the host, not the uplink port.

A sample access list to block one of google.com IP address would be such as this

ip access-list extended "die google"

deny ip any 74.125.21.139 0.0.0.0

permit ip any any

The 0.0.0.0 represents a single host address. Then you need to bind to an interface

interface gigabitethernet5

service-acl input "die google"

Whatever connects to my port gi5 will not be able to access 74.125.21.139

If a port is too defined for you, you can also bind the ACL to a VLAN.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

Reverse your source and destination.  Then go down to port binding and apply the acl it to the port that connects to your pc and then try to ping from your pc.  Youn can't use the ping tool on the switch.

View solution in original post

Hi Raheel, yes, so long as you know those addresses or if they're in the same subnet, you can block a whole subnet.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

Hi Raheel, one thing you can try to do is use nslookup from your computer, here is a sample from my computer

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserve

C:\Users\Tom>nslookup

Default Server:  google-public-dns-a.google.com

Address:  8.8.8.8

> nslookup google.com

Server:  google.com

Addresses:  2607:f8b0:4002:c06::8a

          74.125.21.113

          74.125.21.100

          74.125.21.138

          74.125.21.101

          74.125.21.139

          74.125.21.102

*** google.com can't find nslookup: No response from server

From this output you can make your list - I will provide an example for each address and for this whole ip subnet.

Here is an example to block each individual address

ip access-list extended "die google"

deny ip any 74.125.21.139 0.0.0.0

deny ip any 74.125.21.113 0.0.0.0

deny ip any 74.125.21.100 0.0.0.0

deny ip any 74.125.21.138 0.0.0.0

deny ip any 74.125.21.101 0.0.0.0

deny ip any 74.125.21.102 0.0.0.0

permit ip any any

You may also block a whole subnet - This will block all 254 usable address in the 74.125.21.x address space

ip access-list extended "die google"

deny ip any 74.125.21.1 0.0.0.255

permit ip any any

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

8 REPLIES 8
Tom Watts
Advisor

Hi Raheel,

The first consideration is the access list is inbound only so if you want to block a website, the ACL must be applied on a port connecting toward the host, not the uplink port.

A sample access list to block one of google.com IP address would be such as this

ip access-list extended "die google"

deny ip any 74.125.21.139 0.0.0.0

permit ip any any

The 0.0.0.0 represents a single host address. Then you need to bind to an interface

interface gigabitethernet5

service-acl input "die google"

Whatever connects to my port gi5 will not be able to access 74.125.21.139

If a port is too defined for you, you can also bind the ACL to a VLAN.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

ACL-sample.png

Thanks for Help Tom.

I tried it but really sorry to say its not working. I am applying via web interface and failed to get the results . can you help me again.

Thanks in advance.

Reverse your source and destination.  Then go down to port binding and apply the acl it to the port that connects to your pc and then try to ping from your pc.  Youn can't use the ping tool on the switch.

Thanks Tom and Viningele for your help I got the correct answer. Thank you very much.

I thing more is it possible to block more than 1 IP's as some sites have more IPs like google etc..

Hi Raheel, yes, so long as you know those addresses or if they're in the same subnet, you can block a whole subnet.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Tom

Thanks for help again!

Can you give me one example of it like if I want to block google.com what will be the entry as google has more than 1 IP. this is my last question in this regard

Hi Raheel, one thing you can try to do is use nslookup from your computer, here is a sample from my computer

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserve

C:\Users\Tom>nslookup

Default Server:  google-public-dns-a.google.com

Address:  8.8.8.8

> nslookup google.com

Server:  google.com

Addresses:  2607:f8b0:4002:c06::8a

          74.125.21.113

          74.125.21.100

          74.125.21.138

          74.125.21.101

          74.125.21.139

          74.125.21.102

*** google.com can't find nslookup: No response from server

From this output you can make your list - I will provide an example for each address and for this whole ip subnet.

Here is an example to block each individual address

ip access-list extended "die google"

deny ip any 74.125.21.139 0.0.0.0

deny ip any 74.125.21.113 0.0.0.0

deny ip any 74.125.21.100 0.0.0.0

deny ip any 74.125.21.138 0.0.0.0

deny ip any 74.125.21.101 0.0.0.0

deny ip any 74.125.21.102 0.0.0.0

permit ip any any

You may also block a whole subnet - This will block all 254 usable address in the 74.125.21.x address space

ip access-list extended "die google"

deny ip any 74.125.21.1 0.0.0.255

permit ip any any

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Mind blowing.........

Awesome!

You are really a great guy Tom.

Thank you very much.

My all issues related to ACL resolved now.

Thanks Guru.

Create
Recognize Your Peers
Polls
How would you describe your level of technical expertise?