You can cancel the ACL interface as follows: no ip access-group BLOCKSOCIAL inĭelete the ACL like this: no ip access-list extended BLOCKSOCIAL Or, to write less only to the server’s server port on the Internet, if there is one: interface TenGigabitEthernet3/2 If you want to block more sites, we’ll add the addresses to the same ACL, since only one can be applied to the ACL interface.Īpply the created ACL to the port looking towards the clients: interface GigabitEthernet1/1 Instead of a subnet mask, you need to specify the Wildcard, for example, for the mask /24, specify 0.0.0.255, for /22 – 0.0.3.255, etc., you can look at and count on any IP calculator.
The line “permit ip any any” should be necessary at the end. You can specify as a source a specific network or for example one address to deny access to another address: deny ip host 192.168.5.1 host 192.168.11.54 The rule above indicates that you want to block traffic to the specified networks coming from all (any) sources. Suppose we need to block access to users to a certain site, a network node, or for example a social network VKontakte.įirst, we know the range of IP addresses on which the site is located, for example, we search VKontakte on bgp.he.net, here is for example the list of subnets for one of the AS belonging to VKontakte “”.Īnd create an extended ACL for example with the name BLOCKSOCIAL: ip access-list extended BLOCKSOCIAL On the test I use the Cisco Catalyst 6509-E switch. Port isolation on the ZyXEL MES-3528 switch Posted by Vyacheslav Posted in Cisco Tags: Port Isolation Leave a comment on Configuring Protected Ports on Cisco Blocking social networks on Cisco
#Cisco mac address block on dell switch full#
View full configuration: show running-config
Information about ports can be viewed by the command: show interfaces NAME switchport Now the ports on which the switchport protected command is registered do not see the other ports on which this command is also registered, they see only the ports where it is not registered, that is, in our case the first gigabit ulink port, and it sees all the ports with the command and without. Then, we issue the switchport protected command for all access ports: interface range fastEthernet 1/0/1-48Īpparently interface gigabitEthernet 1/0/1 we did not touch. To do this, connect to the switch and go into the configuration mode: enable We need all the ports on this switch to not see each other and see only the first gigabit ulink port. Good times.thanks again for all your thoughts, I'll keep you updated as I figure out more.On the test, I will configure the Cisco Catalyst WS-C3750-48TS-S.Īnd so, all ports are configured as access, except for the first Gigabit uplink port, it is configured as a trunk and the Internet on the client vlan with the tag comes to it. My next plan is to hook a laptop directly to one of the switch ports and see if that makes life any easier. If this is the case then it's more or less unfindable because I'm not going to scan all of the possible private IP address and subnet combos as there are way way way to many.Īs someone astutedly pointed out I could use CDP.problem is I need a device in the correct subnet and if I knew what the correct subnet was I'd be in a much better place.
This leaves two options I can think of.ġ) The original sysadmin didn't change the ip from the default (which I think makes this impossible)Ģ) The original sysadmin, for reasons beyond understanding, chose an IP in some totally different subnet. After using several programs that scan the entire subnet we use (192.168.1.0/24) I've concluded the device is not to be found. I want to thank everyone for the help they've put in so far and give an update.
0 kommentar(er)
