03-21-2012 02:53 PM - edited 03-04-2019 03:45 PM
I have a Cisco 2800 router. I have been noticing a lot of traffic to Pandora lately. At times my pipe is 25% music streaming and my router utilization can be quite high. Our web filtering is a hosted service that does not block all traffic depending on some of the ports. It is really designed for port 80 and 443 only.
We decided we want to block access to Pandora completely on both our primary internal LAN's and our Guest wireless LANs.
When I perform the ARIN lookup, I get these results for the IP range:
NetRange: 208.85.40.0 - 208.85.47.255
CIDR: 208.85.40.0/21
The CIDR notation does not make sense to me entirely. The IP range includes 8 class C networks. The /21 is a class b subnet of 255.255.248.0 or a router broadcast address for routing tables (depending on how you want to look at it). I was not sure if I could block the address based on the router CIDR range of if I had to use the individual classful IP ranges.
Should I block "208.85.40.0 0.0.7.255" in my ACL or should I create 8 entries to block the networks like this?
208.85.40.0 0.0.0.255
208.85.41.0 0.0.0.255
.
.
Thanks.
03-21-2012 02:54 PM
I forgot to mention that a lot of the Pandora traffic is from guest device on the Guest Wireless LAN. One of the reasons we wanted to use the ACL is so I cna block things on a device I can control.
03-21-2012 04:11 PM
Also another option it to add the pandora domain in DNS and point it to an invalid ip address
Sent from Cisco Technical Support iPhone App
03-21-2012 08:47 PM
The CIDR notation is just shorthand for the range you mentioned. 208.85.40.0/21 = 208.85.40.0 255.255.248.0 = 208.85.40.0 0.0.7.255 (wildcard mask).
You could also do what the previous poster said, or you could use application recognition in a policy map applied to a router interface. Something like this:
class-map BAD_URLS
match protocol http url domain.com
!
policy-map DROP_BAD_STUFFS
class BAD_URLS
drop
class class-default
!
Interface VlanX
service-policy input DROP_BAD_STUFFS
Sent from Cisco Technical Support iPad App
03-22-2012 08:15 AM
I will read about application recognition and may use that. I have never useed it before.
If I do apply an ACL rule using 208.85.40.0 0.0.7.255 as my block will it also block other IPs such as 208.84.48-49.0 whihc are not Pandora IP's? I guess I am not fully sure how the router would apply the mask to other similar class C addresses if I needed to access them. Does that makes sense?
03-22-2012 08:30 AM
208.85.40.0 0.0.7.255 would block traffic to the range 208.85.40.0-208.85.47.255 nothing else.
On the application recognition, I gave you the wrong parameter "url"
"URL" matches to the right of the domain, the keyword "HOST" matches the domain itself.
So if you wanted to match pandora.com it would be:
class-map BAD_URLS
match protocol http host pandora.com
wildcards are allowed as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide