Re: How to create a Access list on core switch to bloxk all Inte

vishwasjaiswal · ‎08-18-2013

Hellp Everyone,

I am trying to create a Access-List on my Core Switch, in which I want to allow few internet website & block the rest of them.

I want to allow the whole Intranet but few intranet websites also needs access to the internet.

Can we create such Access-List with the above requirement.

I tried to create the ACL on the switch but it blocks the whole internet access.

i want to do it for a subnet not for a specific IP.

Can someone help me in creating such access list.

Thanks in Advance

Marvin Rhoads · ‎08-18-2013

The exact syntax depends on your subnets and how they connect to the Internet. If you can share a simple diagram that would be much more informative.

In general just remember that access-lists are parsed from the top down and as soon as a match is found, the processing stops. So you put the most specific rules at the top. also, once you add an access-list, there is an implicit "deny any any" at the end.

The best approach is to create some network object-groups and then refer to them in your access list. From your description, that would be something like three object-groups - one for the Intranet (Intranet), one for the allowed servers that can use Internet (allowed_servers), and a third for the permitted Internet sites (allowed_sites).

You would then use them as follows:

ip access-list extended main_acl

permit any object-group intranet any

permit object-group allowed_servers object-group allowed_sites any

interface vlan

ip access-group main_acl in

More details on the syntax and examples can be found here:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/sec-object-group-acl.html#GUID-BE5C124C-CCE0-423A-B147-96C33FA18C66

How to create a Access list on core switch to bloxk all Internet Traffic & allow some specific Internet Traffic