Link to home
Start Free TrialLog in
Avatar of Scott_Smith24
Scott_Smith24Flag for United States of America

asked on

BLOCK IP range EXtended ACL's

So I have and extended ACL's for inbound traffic on my wan interface and I want to block all incoming traffic from a range of IP's. Specifically Spotify, which uses:

I tried the following :
deny ip any
deny ip
deny ip any
It doesn't seem to be working. What am I missing?
Avatar of Nico Eisma
Nico Eisma
Flag of Philippines image

Traffic is initiated internally as users will access the service out towards the internet, my suggestion do the filtering on the internal interface rather than the external interface.
Avatar of Scott_Smith24


So how do I do that?
Avatar of Nico Eisma
Nico Eisma
Flag of Philippines image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So here is what my internal interface looks like
interface GigabitEthernet0/1
 description Internal Network$FW_INSIDE$
 ip address
 ip access-group internal_filter in
 no ip redirects
 no ip unreachables
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled

And the newly formed access list

ip access-list extended internal_filter
 deny   ip
 deny   ip
 deny   ip
 permit ip any any

and a "sh access list"
Extended IP access list internal_filter
    10 deny ip
    20 deny ip
    30 deny ip
    40 permit ip any any (601589 matches)

But Im  getting nothing it doest seem to be blocking the range of IPs
Now I have 4 vlans but the computer Im testing with is on the network
It seems that Spotify has a lot of IP ranges[search]=Spotify&commit=Search
User generated imageOther forums mentioned about some other IP ranges as well that they blocked.

I wouldn't suggest to just go outright and block all the IP ranges without careful consideration first. What I can suggest:
Do a packet capture test first to identify which IP range spotify is connecting to based on your region. Tools like CurrPorts and wireshark can be used to do a packet capture. Based from your "show access list", nobody is hitting those subnet, so most likely you are reaching spotify through other IP range.
User generated image
Block the application in the host PC GPO.
That worked I also used little snitch to see exactly what Spotify was using and was able to find the IP range that way.
Great! Glad you were able to accomplish your task and congratulations!