Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3669
Views
0
Helpful
8
Replies

SG300-52 ACL help need

Go to solution
Raheel Qamar
Level 1
Level 1

‎01-21-2014 10:35 AM

Hello,

I am using SG300-52 switch I need to know can I block some sites for specific IP / MAC through this switch?

Please help me if someone can do it.

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Tom Watts
VIP Alumni
VIP Alumni

‎02-04-2014 03:42 PM

Hi Raheel,

The first consideration is the access list is inbound only so if you want to block a website, the ACL must be applied on a port connecting toward the host, not the uplink port.

A sample access list to block one of google.com IP address would be such as this

ip access-list extended "die google"

deny ip any 74.125.21.139 0.0.0.0

permit ip any any

The 0.0.0.0 represents a single host address. Then you need to bind to an interface

interface gigabitethernet5

service-acl input "die google"

Whatever connects to my port gi5 will not be able to access 74.125.21.139

If a port is too defined for you, you can also bind the ACL to a VLAN.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

0 Helpful

Go to solution
viningele
Level 3
Level 3
In response to Raheel Qamar

‎02-05-2014 07:33 AM

Reverse your source and destination.  Then go down to port binding and apply the acl it to the port that connects to your pc and then try to ping from your pc.  Youn can't use the ping tool on the switch.

View solution in original post

0 Helpful

Go to solution
Tom Watts
VIP Alumni
VIP Alumni
In response to Raheel Qamar

‎02-05-2014 03:34 PM

Hi Raheel, yes, so long as you know those addresses or if they're in the same subnet, you can block a whole subnet.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

0 Helpful

Go to solution
Tom Watts
VIP Alumni
VIP Alumni
In response to Raheel Qamar

‎02-07-2014 06:59 AM

Hi Raheel, one thing you can try to do is use nslookup from your computer, here is a sample from my computer

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserve

C:\Users\Tom>nslookup

Default Server:  google-public-dns-a.google.com

Address:  8.8.8.8

> nslookup google.com

Server:  google.com

Addresses:  2607:f8b0:4002:c06::8a

          74.125.21.113

          74.125.21.100

          74.125.21.138

          74.125.21.101

          74.125.21.139

          74.125.21.102

*** google.com can't find nslookup: No response from server

From this output you can make your list - I will provide an example for each address and for this whole ip subnet.

Here is an example to block each individual address

ip access-list extended "die google"

deny ip any 74.125.21.139 0.0.0.0

deny ip any 74.125.21.113 0.0.0.0

deny ip any 74.125.21.100 0.0.0.0

deny ip any 74.125.21.138 0.0.0.0

deny ip any 74.125.21.101 0.0.0.0

deny ip any 74.125.21.102 0.0.0.0

permit ip any any

You may also block a whole subnet - This will block all 254 usable address in the 74.125.21.x address space

ip access-list extended "die google"

deny ip any 74.125.21.1 0.0.0.255

permit ip any any

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Tom Watts
VIP Alumni
VIP Alumni

‎02-04-2014 03:42 PM

Hi Raheel,

The first consideration is the access list is inbound only so if you want to block a website, the ACL must be applied on a port connecting toward the host, not the uplink port.

A sample access list to block one of google.com IP address would be such as this

ip access-list extended "die google"

deny ip any 74.125.21.139 0.0.0.0

permit ip any any

The 0.0.0.0 represents a single host address. Then you need to bind to an interface

interface gigabitethernet5

service-acl input "die google"

Whatever connects to my port gi5 will not be able to access 74.125.21.139

If a port is too defined for you, you can also bind the ACL to a VLAN.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

Go to solution
Raheel Qamar
Level 1
Level 1
In response to Tom Watts

‎02-05-2014 06:58 AM

ACL-sample.png

Thanks for Help Tom.

I tried it but really sorry to say its not working. I am applying via web interface and failed to get the results . can you help me again.

Thanks in advance.

0 Helpful

Go to solution
viningele
Level 3
Level 3
In response to Raheel Qamar

‎02-05-2014 07:33 AM

Reverse your source and destination.  Then go down to port binding and apply the acl it to the port that connects to your pc and then try to ping from your pc.  Youn can't use the ping tool on the switch.

0 Helpful

Go to solution
Raheel Qamar
Level 1
Level 1
In response to viningele

‎02-05-2014 11:25 AM

Thanks Tom and Viningele for your help I got the correct answer. Thank you very much.

I thing more is it possible to block more than 1 IP's as some sites have more IPs like google etc..

0 Helpful

Go to solution
Tom Watts
VIP Alumni
VIP Alumni
In response to Raheel Qamar

‎02-05-2014 03:34 PM

Hi Raheel, yes, so long as you know those addresses or if they're in the same subnet, you can block a whole subnet.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

Go to solution
Raheel Qamar
Level 1
Level 1
In response to Tom Watts

‎02-07-2014 06:48 AM

Tom

Thanks for help again!

Can you give me one example of it like if I want to block google.com what will be the entry as google has more than 1 IP. this is my last question in this regard

0 Helpful

Go to solution
Tom Watts
VIP Alumni
VIP Alumni
In response to Raheel Qamar

‎02-07-2014 06:59 AM

Hi Raheel, one thing you can try to do is use nslookup from your computer, here is a sample from my computer

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserve

C:\Users\Tom>nslookup

Default Server:  google-public-dns-a.google.com

Address:  8.8.8.8

> nslookup google.com

Server:  google.com

Addresses:  2607:f8b0:4002:c06::8a

          74.125.21.113

          74.125.21.100

          74.125.21.138

          74.125.21.101

          74.125.21.139

          74.125.21.102

*** google.com can't find nslookup: No response from server

From this output you can make your list - I will provide an example for each address and for this whole ip subnet.

Here is an example to block each individual address

ip access-list extended "die google"

deny ip any 74.125.21.139 0.0.0.0

deny ip any 74.125.21.113 0.0.0.0

deny ip any 74.125.21.100 0.0.0.0

deny ip any 74.125.21.138 0.0.0.0

deny ip any 74.125.21.101 0.0.0.0

deny ip any 74.125.21.102 0.0.0.0

permit ip any any

You may also block a whole subnet - This will block all 254 usable address in the 74.125.21.x address space

ip access-list extended "die google"

deny ip any 74.125.21.1 0.0.0.255

permit ip any any

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

Go to solution
Raheel Qamar
Level 1
Level 1
In response to Tom Watts

‎02-07-2014 07:54 AM

Mind blowing.........

Awesome!

You are really a great guy Tom.

Thank you very much.

My all issues related to ACL resolved now.

Thanks Guru.

0 Helpful
Customers Also Viewed These Support Documents