Using switch or router ACL to block streaming traffic
Home > IT Answers > Security > Using switch or router ACL to block streaming...
Labnuke99
26290 pts.
0
Q:
Using switch or router ACL to block streaming traffic
Firewalls, Security, Routers, NetScreen, Internet, WAN, Network traffic management, ACL, PIX, Cisco IOS, Streaming media
I would like to block streaming media requests using either the LAN switch or the site edge router. The site is on a private network and does not have a local firewall at the edge. Has anyone used Cisco ACL's for this purpose and if so, how did you do it? Or, would I be better implementing a Netscreen or PIX for this purpose?
ASKED: Nov 14 2008  6:44 PM GMT
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
RELATED QUESTIONS
0
Yasirirfan
2995 pts.
0
A:
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
  • AddThis Social Bookmark Button
Using ACLs is the hard way actually but you can use it if you want
for example open up your command prompt
type nslookup www.myspace.come >>>> a list with several ip addresses would come up you need to block traffic to and from them using an ACL
and to make things worse do nslookup myspace.com a different list would come up those also needs to be blocked, same applies to facebook for example

So my suggestion is to use Quality of Service
you need to identify whats your main office applications together with their port numbers and put those in a class with lets say 90% of the BW, and the web traffic port 80 and 8080 in a separate class with a minimal BW that way you have minimized the web problem for ever without worrying, because if users stopped using myspace they will use facebook and if they stopped facebook they can use online streaming , etc.....
however this requires some design considerations.
================
example for using the ACL

R1(config)#ip access-list extended BLOCK
R1(config-ext-nacl)#deny ip host 216.178.38.131 any
R1(config-ext-nacl)#deny ip any host 216.178.38.131
R1(config-ext-nacl)#deny ip host 216.178.39.14 any
R1(config-ext-nacl)#deny ip any host 216.178.39.14
........................... <><<<<<<< Insert all ip addresses here
R1(config-ext-nacl)#permit ip any any <<<<<<<<<< dont forget this


R1(config-if)#ip access-group BLOCK in <><<<< Apply this ACL to your LAN interface
R1(config-if)#ip access-group BLOCK out

You need a router to apply this access list.

Check this link too
Last Answered: Nov 15 2008  8:51 AM GMT by Yasirirfan   2995 pts.
  •   
0
0
RSS - Discussions Help
Discuss This Answer:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Labnuke99   26290 pts.  |   Nov 17 2008  5:50PM GMT

Thanks for the info. So, based on this answer, it is best to block by IP addresses. What if I wanted to block by TCP ports. Do you have any references about what should be blocked for streaming media? I want to block this inbound traffic to clients on a particular subnet. We will be adding offending user computers to this subnet so they will have this traffic blocked.

 

KevinBeaver   7610 pts.  |   Nov 29 2008  9:44PM GMT

This can be a difficult task because it seems like every type of streaming media is done a little differently. I’ve found the best thing for blocking (and subsequent monitoring) of this type of traffic is a Web content filtering system like those offered by Marshal Software, St. Bernard, etc.

 
0