Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2128
Views
4
Helpful
5
Replies

ACL to block Routing

richard.raehal
Level 1
Level 1

‎03-21-2012 02:53 PM - edited ‎03-04-2019 03:45 PM

I have a Cisco 2800 router.  I have been noticing a lot of traffic to Pandora lately.  At times my pipe is 25% music streaming and my router utilization can be quite high.  Our web filtering is a hosted service that does not block all traffic depending on some of the ports.  It is really designed for port 80 and 443 only.

We decided we want to block access to Pandora completely on both our primary internal LAN's and our Guest wireless LANs.

When I perform the ARIN lookup, I get these results for the IP range:

NetRange: 208.85.40.0 - 208.85.47.255

CIDR: 208.85.40.0/21

The CIDR notation does not make sense to me entirely.  The IP range includes 8  class C networks.  The /21 is a class b subnet of 255.255.248.0 or a router broadcast address for routing tables (depending on how you want to look at it).  I was not sure if I could block the address based on the router CIDR range of if I had to use the individual classful IP ranges.

Should I block "208.85.40.0 0.0.7.255" in my ACL or should I create 8 entries to block the networks like this?

208.85.40.0 0.0.0.255

208.85.41.0 0.0.0.255

.

.

Thanks.

Labels:
0 Helpful
5 Replies 5

richard.raehal
Level 1
Level 1

‎03-21-2012 02:54 PM

I forgot to mention that a lot of the Pandora traffic is from guest device on the Guest Wireless LAN.  One of the reasons we wanted to use the ACL is so I cna block things on a device I can control.

0 Helpful

pjmonline
Level 1
Level 1

‎03-21-2012 04:11 PM

Also another option it to add the pandora domain in DNS and point it to an invalid ip address

Sent from Cisco Technical Support iPhone App

0 Helpful

AJ Cruz
Level 3
Level 3

‎03-21-2012 08:47 PM

The CIDR notation is just shorthand for the range you mentioned. 208.85.40.0/21 = 208.85.40.0 255.255.248.0 = 208.85.40.0 0.0.7.255 (wildcard mask).

You could also do what the previous poster said, or you could use application recognition in a policy map applied to a router interface. Something like this:

class-map BAD_URLS

match protocol http url domain.com

!

policy-map DROP_BAD_STUFFS

class BAD_URLS

drop

class class-default

!

Interface VlanX

service-policy input DROP_BAD_STUFFS

Sent from Cisco Technical Support iPad App

richard.raehal
Level 1
Level 1
In response to AJ Cruz

‎03-22-2012 08:15 AM

I will read about application recognition and may use that.  I have never useed it before.

If I do apply an ACL rule using 208.85.40.0 0.0.7.255 as my block will it also block other IPs such as 208.84.48-49.0 whihc are not Pandora IP's?  I guess I am not fully sure how the router would apply the mask to other similar class C addresses if I needed to access them.  Does that makes sense?

0 Helpful

AJ Cruz
Level 3
Level 3
In response to richard.raehal

‎03-22-2012 08:30 AM

208.85.40.0 0.0.7.255 would block traffic to the range 208.85.40.0-208.85.47.255 nothing else.

On the application recognition, I gave you the wrong parameter "url"

"URL" matches to the right of the domain, the keyword "HOST" matches the domain itself.

So if you wanted to match pandora.com it would be:

class-map BAD_URLS

match protocol http host pandora.com

wildcards are allowed as well.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card