We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 588 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

312 New Members signed up the last 30 days!

satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. is this how most companies block access, i think we use something called websense?

     

    also with facbeook having so many webservers in a farm for redundancy would you in real world scendario block by ip, or hostname?

     

     

  2. Hi Ruby,

    The time based access-list is basically the "poor man's" solution to block access on routers. You can use access-lists only to filter on L3/L4 information (IP addresses, protocols and port numbers) so you can't filter based on hostnames.

    One way to get around this is to block all prefixes that belong to a certain AS. For example, facebook uses AS 32934. We can find their prefixes with whois:

    $ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route:'
    route: 204.15.20.0/22
    route: 69.63.176.0/20
    route: 66.220.144.0/20
    route: 66.220.144.0/21
    route: 69.63.184.0/21
    route: 69.63.176.0/21
    route: 74.119.76.0/22
    route: 69.171.255.0/24
    route: 173.252.64.0/18
    route: 69.171.224.0/19
    route: 69.171.224.0/20
    route: 103.4.96.0/22
    route: 69.63.176.0/24
    route: 173.252.64.0/19
    route: 173.252.70.0/24
    route: 31.13.64.0/18
    route: 31.13.24.0/21
    route: 66.220.152.0/21
    route: 66.220.159.0/24
    route: 69.171.239.0/24
    route: 69.171.240.0/20
    route: 31.13.64.0/19
    route: 31.13.64.0/24
    route: 31.13.65.0/24
    route: 31.13.67.0/24
    route: 31.13.68.0/24
    route: 31.13.69.0/24
    route: 31.13.70.0/24
    route: 31.13.71.0/24
    route: 31.13.72.0/24
    route: 31.13.73.0/24
    route: 31.13.74.0/24
    route: 31.13.75.0/24
    route: 31.13.76.0/24
    route: 31.13.77.0/24
    route: 31.13.96.0/19
    route: 31.13.66.0/24
    route: 173.252.96.0/19
    route: 69.63.178.0/24
    route: 31.13.78.0/24
    route: 31.13.79.0/24
    route: 31.13.80.0/24
    route: 31.13.82.0/24
    route: 31.13.83.0/24
    route: 31.13.84.0/24
    route: 31.13.85.0/24
    route: 31.13.86.0/24
    route: 31.13.87.0/24
    route: 31.13.88.0/24
    route: 31.13.89.0/24
    route: 31.13.90.0/24
    route: 31.13.91.0/24
    route: 31.13.92.0/24
    route: 31.13.93.0/24
    route: 31.13.94.0/24
    route: 31.13.95.0/24
    route: 69.171.253.0/24
    route: 69.63.186.0/24
    route: 31.13.81.0/24
    route: 179.60.192.0/22
    route: 179.60.192.0/24
    route: 179.60.193.0/24
    route: 179.60.194.0/24
    route: 179.60.195.0/24
    route: 185.60.216.0/22
    route: 45.64.40.0/22
    route: 185.60.216.0/24
    route: 185.60.217.0/24
    route: 185.60.218.0/24
    route: 185.60.219.0/24
    route: 129.134.0.0/16
    route: 157.240.0.0/16
    route: 204.15.20.0/22
    route: 69.63.176.0/20
    route: 69.63.176.0/21
    route: 69.63.184.0/21
    route: 66.220.144.0/20
    route: 69.63.176.0/20

    You could create a script that fetches these prefixes and updates your access-list every now and then.

    For some more "serious" security, we use firewalls. Some firewalls are able to inspect the application layer so we can drop traffic based on the URL, payload, etc.

    Rene

  3. Dear Rene,

    Thanks for your article..

    What will be the command periodic if we want to block traffic from Sunday to Thrusday ?

    br//
    zaman

  4. Hi Zaman,

    You can use some of the default periodic options:

    Router(config-time-range)#periodic ?
      Friday     Friday
      Monday     Monday
      Saturday   Saturday
      Sunday     Sunday
      Thursday   Thursday
      Tuesday    Tuesday
      Wednesday  Wednesday
      daily      Every day of the week
      weekdays   Monday thru Friday
      weekend    Saturday and Sunday

    Including "weekend".

    Rene

Ask a question or join the discussion by visiting our Community Forum