Solved: SG300-52 ACL help need

Raheel Qamar · ‎01-21-2014

Hello,

I am using SG300-52 switch I need to know can I block some sites for specific IP / MAC through this switch?

Please help me if someone can do it.

Tom Watts · ‎02-04-2014

Hi Raheel,

The first consideration is the access list is inbound only so if you want to block a website, the ACL must be applied on a port connecting toward the host, not the uplink port.

A sample access list to block one of google.com IP address would be such as this

ip access-list extended "die google"

deny ip any 74.125.21.139 0.0.0.0

permit ip any any

The 0.0.0.0 represents a single host address. Then you need to bind to an interface

interface gigabitethernet5

service-acl input "die google"

Whatever connects to my port gi5 will not be able to access 74.125.21.139

If a port is too defined for you, you can also bind the ACL to a VLAN.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

viningele · ‎02-05-2014

Reverse your source and destination. Then go down to port binding and apply the acl it to the port that connects to your pc and then try to ping from your pc. Youn can't use the ping tool on the switch.

View solution in original post

Tom Watts · ‎02-05-2014

Hi Raheel, yes, so long as you know those addresses or if they're in the same subnet, you can block a whole subnet.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

Tom Watts · ‎02-07-2014

Hi Raheel, one thing you can try to do is use nslookup from your computer, here is a sample from my computer

Microsoft Windows [Version 6.1.7601]

C:\Users\Tom>nslookup

Default Server: google-public-dns-a.google.com

Address: 8.8.8.8

> nslookup google.com

Server: google.com

Addresses: 2607:f8b0:4002:c06::8a

74.125.21.113

74.125.21.100

74.125.21.138

74.125.21.101

74.125.21.139

74.125.21.102

*** google.com can't find nslookup: No response from server

From this output you can make your list - I will provide an example for each address and for this whole ip subnet.

Here is an example to block each individual address

ip access-list extended "die google"

deny ip any 74.125.21.139 0.0.0.0

deny ip any 74.125.21.113 0.0.0.0

deny ip any 74.125.21.100 0.0.0.0

deny ip any 74.125.21.138 0.0.0.0

deny ip any 74.125.21.101 0.0.0.0

deny ip any 74.125.21.102 0.0.0.0

permit ip any any

You may also block a whole subnet - This will block all 254 usable address in the 74.125.21.x address space

ip access-list extended "die google"

deny ip any 74.125.21.1 0.0.0.255

permit ip any any

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

Tom Watts · ‎02-04-2014

Hi Raheel,

The first consideration is the access list is inbound only so if you want to block a website, the ACL must be applied on a port connecting toward the host, not the uplink port.

A sample access list to block one of google.com IP address would be such as this

ip access-list extended "die google"

deny ip any 74.125.21.139 0.0.0.0

permit ip any any

The 0.0.0.0 represents a single host address. Then you need to bind to an interface

interface gigabitethernet5

service-acl input "die google"

Whatever connects to my port gi5 will not be able to access 74.125.21.139

If a port is too defined for you, you can also bind the ACL to a VLAN.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Raheel Qamar · ‎02-05-2014

Thanks for Help Tom.

I tried it but really sorry to say its not working. I am applying via web interface and failed to get the results . can you help me again.

Thanks in advance.

viningele · ‎02-05-2014

Reverse your source and destination. Then go down to port binding and apply the acl it to the port that connects to your pc and then try to ping from your pc. Youn can't use the ping tool on the switch.

Raheel Qamar · ‎02-05-2014

Thanks Tom and Viningele for your help I got the correct answer. Thank you very much.

I thing more is it possible to block more than 1 IP's as some sites have more IPs like google etc..

Tom Watts · ‎02-05-2014

Hi Raheel, yes, so long as you know those addresses or if they're in the same subnet, you can block a whole subnet.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Raheel Qamar · ‎02-07-2014

Tom

Thanks for help again!

Can you give me one example of it like if I want to block google.com what will be the entry as google has more than 1 IP. this is my last question in this regard

Tom Watts · ‎02-07-2014

Hi Raheel, one thing you can try to do is use nslookup from your computer, here is a sample from my computer

Microsoft Windows [Version 6.1.7601]

C:\Users\Tom>nslookup

Default Server: google-public-dns-a.google.com

Address: 8.8.8.8

> nslookup google.com

Server: google.com

Addresses: 2607:f8b0:4002:c06::8a

74.125.21.113

74.125.21.100

74.125.21.138

74.125.21.101

74.125.21.139

74.125.21.102

*** google.com can't find nslookup: No response from server

From this output you can make your list - I will provide an example for each address and for this whole ip subnet.

Here is an example to block each individual address

ip access-list extended "die google"

deny ip any 74.125.21.139 0.0.0.0

deny ip any 74.125.21.113 0.0.0.0

deny ip any 74.125.21.100 0.0.0.0

deny ip any 74.125.21.138 0.0.0.0

deny ip any 74.125.21.101 0.0.0.0

deny ip any 74.125.21.102 0.0.0.0

permit ip any any

You may also block a whole subnet - This will block all 254 usable address in the 74.125.21.x address space

ip access-list extended "die google"

deny ip any 74.125.21.1 0.0.0.255

permit ip any any

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Raheel Qamar · ‎02-07-2014

Mind blowing.........

Awesome!

You are really a great guy Tom.

Thank you very much.

My all issues related to ACL resolved now.

Thanks Guru.

Advanced
Intermediate
Beginner