Nothing complicated, just create an ACL rule, due to which on certain ports the switch will drop or pass packets that go to client port 67 from a DHCP server and thus it will not receive IP from unnecessary DHCP servers.Continue reading “Blocking DHCP packets on D-Link DES-38xx”
In this article I will give some examples of blocking IP addresses, MAC addresses, DHCP packets from DHCP servers, etc.Continue reading “ACL Examples for D-Link Switches”
To block multicast ip addresses I will use ACL. Using an example of multicast, IPTV is broadcast via D-Link DGS-3612G and suppose that some channels need to be blocked, for this we create the following ACL rules:Continue reading “Blocking multicast IP addresses on D-Link”
Let’s say we want to configure the ACL (access control list) on the Ubiquiti access point.
In the web interface of the device, open the tab “Wireless“.
At the very bottom opposite “MAC ACL:” tick the “Enable“.
And choose “Policy:“, on “Allow” (means that there will be devices on the list that are allowed to connect, all who are not registered – can not) or “Deny” (in the list of devices that can not be connected, and everyone else can).
By clicking on the button “ACL…“, in the opened window to add the device, in the first field we indicate its MAC, in the second one any desired description and click “Add“, later “Save“.
And the last stage is at the top click the button “Apply“, after which the changes are saved and applied without loss of communication with the device (without rebooting).
On the test I use the Cisco Catalyst 6509-E switch.
Suppose we need to block access to users to a certain site, a network node, or for example a social network VKontakte.
First, we know the range of IP addresses on which the site is located, for example, we search VKontakte on bgp.he.net, here is for example the list of subnets for one of the AS belonging to VKontakte “http://bgp.he.net/AS47541#_prefixes”.
And create an extended ACL for example with the name BLOCKSOCIAL:
ip access-list extended BLOCKSOCIAL deny ip any 220.127.116.11 0.0.63.255 deny ip any 18.104.22.168 0.0.7.255 deny ip any 22.214.171.124 0.0.7.255 deny ip any 126.96.36.199 0.0.15.255 deny ip any 188.8.131.52 0.0.63.255 deny ip any 184.108.40.206 0.0.0.255 deny ip any 220.127.116.11 0.0.3.255 permit ip any any exit
The rule above indicates that you want to block traffic to the specified networks coming from all (any) sources.
You can specify as a source a specific network or for example one address to deny access to another address:
deny ip host 192.168.5.1 host 192.168.11.54
The line “permit ip any any” should be necessary at the end.
Instead of a subnet mask, you need to specify the Wildcard, for example, for the mask /24, specify 0.0.0.255, for /22 – 0.0.3.255, etc., you can look at and count on any IP calculator.
/17 – 0.0.127.255
/18 – 0.0.63.255
/19 – 0.0.31.255
/20 – 0.0.15.255
/21 – 0.0.7.255
/22 – 0.0.3.255
/23 – 0.0.1.255
/24 – 0.0.0.255
If you want to block more sites, we’ll add the addresses to the same ACL, since only one can be applied to the ACL interface.
Apply the created ACL to the port looking towards the clients:
interface GigabitEthernet1/1 ip access-group BLOCKSOCIAL in
Or, to write less only to the server’s server port on the Internet, if there is one:
interface TenGigabitEthernet3/2 ip access-group BLOCKSOCIAL in
You can cancel the ACL interface as follows:
no ip access-group BLOCKSOCIAL in
Delete the ACL like this:
no ip access-list extended BLOCKSOCIAL
If you block sites on the port from the server to the clients, then in the ACL rule we will change the addresses in the following places:
ip access-list extended BLOCKSOCIAL deny ip 18.104.22.168 0.0.63.255 any deny ip 22.214.171.124 0.0.7.255 any deny ip 126.96.36.199 0.0.7.255 any deny ip 188.8.131.52 0.0.15.255 any deny ip 184.108.40.206 0.0.63.255 any deny ip 220.127.116.11 0.0.0.255 any deny ip 18.104.22.168 0.0.3.255 any deny ip host 192.168.5.1 any permit ip any any exit