RE: Time-range ACL

From: Wojciech.Gebka@ssk.com.pl
Date: Sun Mar 09 2003 - 09:24:42 GMT-3

• Next message: Omer Ansari: "Re: CCIE #11195"
• Previous message: Emad: "FDDI question"
• Maybe in reply to: Wojciech.Gebka@ssk.com.pl: "Time-range ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thank you Scott,
that is only one example about time-range ACL in Cisco documentation I
found. In the example under your link thay want to deny http traffic on Mo
to Fr from 8:00 to 18:00. Indeed, in time the time-range is active the
access list on interface ethernet 0 is blocking WEB traffic. But I think,
that WEB traffic is always bloced by that ACL. In time the time-range
no-http is inactive WEb traffic (likewise all other traffic, except udp on
weekedn from 12:00 to 20:00) is bloced by implicit deny any any on the end
of ACL.

Example from Scott link:
""
Time Range Applied to an IP Access List Example
The following example denies HTTP traffic on Monday through Friday from
8:00 a.m. to 6:00 p.m. on IP. The example allows UDP traffic on Saturday
and Sunday from noon to 8:00 p.m. only.

time-range no-http
 periodic weekdays 8:00 to 18:00
!
time-range udp-yes
 periodic weekend 12:00 to 20:00
!
ip access-list extended strict
 deny tcp any any eq http time-range no-http
 permit udp any any time-range udp-yes
!
interface ethernet 0
 ip access-group strict in
"

My consideration from my last mail have second question:
If I bind a "dumy" (no defined) ACL to interface, the IOS make no filter
proccess on that interface. Its means, no kind of packed is bloced. Packed
is send to check by ACL after I define a first line in ACL.
If I have a ACL with only one line with time-range statement on the end
it works similar in "active" period. What about "inactive" period ? Is
then ACL defined or not? After my test I think that yes, but I want to
confirm by any authority.

Stefan,
you are using a "positive logic" (permit statement), but if the task is to block same traffic in the middle of week and middle of day (i.e. Wednesday,
12:00 - 14:00) you time-range must to by complicated.

Thanks
Wojtek

"Scott M. Livingston" <scottl@sprinthosting.net>
Sent by: nobody@groupstudy.com
03-03-08 23:17
Please respond to "Scott M. Livingston"

 
        To: <Wojciech.Gebka@ssk.com.pl>, <ccielab@groupstudy.com>
        cc:
        Subject: RE: Time-range ACL

I would just answer your question, but I am not sure I fully understand
it. Try this url and let us know if you are still having problems.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fipr_c/ipcprt1/1cfip.htm#1002463

thanks,
scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Wojciech.Gebka@ssk.com.pl
Sent: Saturday, March 08, 2003 3:34 PM
To: ccielab@groupstudy.com
Subject: Time-range ACL

Hi, Group

I need confirmation, because nowhere can I find it.

For a time-range ACL:

access-list 100 deny tcp any any eq www time-range Monday

On monday ACL 100 look like:
access-list 100 deny tcp any any eq www
access-list 100 deny ip any any (implicit deny)

Every other days:
access-list 100 deny ip any any (implicit deny)

Is it true?

Wojtek

• Next message: Omer Ansari: "Re: CCIE #11195"
• Previous message: Emad: "FDDI question"
• Maybe in reply to: Wojciech.Gebka@ssk.com.pl: "Time-range ACL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:35 GMT-3