This topic is to discuss the following lesson:
is this how most companies block access, i think we use something called websense?
also with facbeook having so many webservers in a farm for redundancy would you in real world scendario block by ip, or hostname?
The time based access-list is basically the “poor man’s” solution to block access on routers. You can use access-lists only to filter on L3/L4 information (IP addresses, protocols and port numbers) so you can’t filter based on hostnames.
One way to get around this is to block all prefixes that belong to a certain AS. For example, facebook uses AS 32934. We can find their prefixes with whois:
$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route:' route: 220.127.116.11/22 route: 18.104.22.168/20 route: 22.214.171.124/20 route: 126.96.36.199/21 route: 188.8.131.52/21 route: 184.108.40.206/21 route: 220.127.116.11/22 route: 18.104.22.168/24 route: 22.214.171.124/18 route: 126.96.36.199/19 route: 188.8.131.52/20 route: 184.108.40.206/22 route: 220.127.116.11/24 route: 18.104.22.168/19 route: 22.214.171.124/24 route: 126.96.36.199/18 route: 188.8.131.52/21 route: 184.108.40.206/21 route: 220.127.116.11/24 route: 18.104.22.168/24 route: 22.214.171.124/20 route: 126.96.36.199/19 route: 188.8.131.52/24 route: 184.108.40.206/24 route: 220.127.116.11/24 route: 18.104.22.168/24 route: 22.214.171.124/24 route: 126.96.36.199/24 route: 188.8.131.52/24 route: 184.108.40.206/24 route: 220.127.116.11/24 route: 18.104.22.168/24 route: 22.214.171.124/24 route: 126.96.36.199/24 route: 188.8.131.52/24 route: 184.108.40.206/19 route: 220.127.116.11/24 route: 18.104.22.168/19 route: 22.214.171.124/24 route: 126.96.36.199/24 route: 188.8.131.52/24 route: 184.108.40.206/24 route: 220.127.116.11/24 route: 18.104.22.168/24 route: 22.214.171.124/24 route: 126.96.36.199/24 route: 188.8.131.52/24 route: 184.108.40.206/24 route: 220.127.116.11/24 route: 18.104.22.168/24 route: 22.214.171.124/24 route: 126.96.36.199/24 route: 188.8.131.52/24 route: 184.108.40.206/24 route: 220.127.116.11/24 route: 18.104.22.168/24 route: 22.214.171.124/24 route: 126.96.36.199/24 route: 188.8.131.52/24 route: 184.108.40.206/22 route: 220.127.116.11/24 route: 18.104.22.168/24 route: 22.214.171.124/24 route: 126.96.36.199/24 route: 188.8.131.52/22 route: 184.108.40.206/22 route: 220.127.116.11/24 route: 18.104.22.168/24 route: 22.214.171.124/24 route: 126.96.36.199/24 route: 188.8.131.52/16 route: 184.108.40.206/16 route: 220.127.116.11/22 route: 18.104.22.168/20 route: 22.214.171.124/21 route: 126.96.36.199/21 route: 188.8.131.52/20 route: 184.108.40.206/20
You could create a script that fetches these prefixes and updates your access-list every now and then.
For some more “serious” security, we use firewalls. Some firewalls are able to inspect the application layer so we can drop traffic based on the URL, payload, etc.
Thanks for your article…
What will be the command periodic if we want to block traffic from Sunday to Thrusday ?
You can use some of the default periodic options:
Router(config-time-range)#periodic ? Friday Friday Monday Monday Saturday Saturday Sunday Sunday Thursday Thursday Tuesday Tuesday Wednesday Wednesday daily Every day of the week weekdays Monday thru Friday weekend Saturday and Sunday
In our client network,
The Cisco Layer 2 Switch 2960G port 15 which is connected to the L2VPN MPLS-TP network and each month or time not remembering , the port is getting down and they are changing the port to other 16 Which was also configured for the same service. Once contractor was done this but client want to know if there is any time based port security is enable or no, Kindly share your advise.
This is indeed a strange occurrence. You will have to look at the logs of the 2960 to see the reason for the disconnect of the port in the event that it is occurring because of a configuration on the switch. Do you have time based access lists set up in your switch? When you move to another port, does the service work until a month later or does it go down as well? Have you talked to the ISP to see if there is anything on their end making such behaviour occur.
Once these questions are answered, we may be able to help further…
The following gives an excellent example of an implementation of a time based access list. You can use this as a template and adjust the time periods to your specific needs.
I hope this has been helpful!
thanks Laz that was helpful