Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
771
Views
10
Helpful
5
Replies

SG300 ACL question

jlythompson
Level 1
Level 1

‎01-04-2016 09:35 AM

I have a question about typing up an ACL and how to allow one website but block another with my sg300-52 switch.

The website I want to block is youtube.com but I want to allow maps.google.com or anything else besides youtube.

Now if I do a nslookup we get these entries.

Non-authoritative answer:
Name: youtube.com
Addresses: 2607:f8b0:4009:806::1009
74.125.225.14
74.125.225.6
74.125.225.4
74.125.225.8
74.125.225.0
74.125.225.9
74.125.225.7
74.125.225.2
74.125.225.3
74.125.225.1
74.125.225.5

Non-authoritative answer:
Name: maps.google.com
Addresses: 2607:f8b0:4009:806::100e
74.125.225.5
74.125.225.9
74.125.225.6
74.125.225.2
74.125.225.7
74.125.225.3
74.125.225.8
74.125.225.14
74.125.225.4
74.125.225.1
74.125.225.0

With these two sites using the same IP and if I use my deny ip any <ip address> 0.0.0.0 on all those IP addresses both will get blocked.

Anyway to block one while allowing the other?  

Labels:
0 Helpful
5 Replies 5

Mark Malone
VIP Alumni
VIP Alumni

‎01-04-2016 09:45 AM

sg300 are low end devices and even on some higher end routers its hard to block by url , firewalls are really your friend here or some type of software dns/url filter but you could try this access it by console cli and try apply class map with policy map to your vlan interface or wan interface

class-map match-any BlockGoogle
    match protocol http url *.google.*

policy-map BlockGoogle
   class BlockGoogle
       drop

interface gig 0/1
    description WAN Interface
    ip address x.x.x.x x.x.x.x
    service-policy output BlockGoogle

jlythompson
Level 1
Level 1
In response to Mark Malone

‎01-04-2016 12:34 PM

Thank you and that makes sense but I haven't ever done class maps before with this sg300 and syntax for the commands make sense for what you gave me but it wants it in a different form.

Any good recommendations for references you like that might be for this switch and classmap creation?  Because if I'm follow the switch when its trying to make that class map it is wanting it inputted as "class-map youtubeblock match-any" which goes to (config-cmap) and then to match the command it is then looking for an ACL.

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to jlythompson

‎01-05-2016 12:47 AM

Yes that's a problem it sounds like it doesn't support protocol nbar matching which other enterprise switches would , sorry that's all I had it would work on some routers these SB routers are very limited

Another way is through their pcs just block them through a windows hostile you can specify the websites they cant reach and block them at the source rather than router

http://www.pcworld.com/article/249077/how_to_block_websites.html

jlythompson
Level 1
Level 1
In response to Mark Malone

‎01-07-2016 06:44 AM

Ok so that works where I can block on the website by redirecting to the local host if I come across the problem of two websites using the same IP address and needing to only block one.  And of course I only needed to do this because of the switch I was using.

0 Helpful

Thinkalso
Level 1
Level 1

‎01-04-2016 12:51 PM

Surprising. How can it possible two website using same IP.....Thinkalso

0 Helpful
Customers Also Viewed These Support Documents