RE: ACL Time Range with No Extra

From: Daniel Cisco Group Study (danielcgs@imc.net.au)
Date: Sat Apr 12 2003 - 19:14:34 GMT-3

• Next message: Jeongwoo Park: "What is the default for Queuing?"
• Previous message: Aldo: "callmanager & unity version in ccie voice"
• Maybe in reply to: Jennifer Bellucci: "ACL Time Range with No Extra"
• Next in thread: Swink, Dave: "RE: ACL Time Range with No Extra"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Jennifer,

How about an extended ACL?

ip access-list extended MYACL
 deny tcp any any eq www time-range RANGE1
 deny tcp any any eq ftp time-range RANGE2
 permit ip any any

Editing the ACL:
ip access-list extended MYACL
 no permit ip any any
 permit tcp any any eq bgp
 permit ip any any

At least the ACL was not (entirely) removed during the editing operation....

That's the best I can come up with.

Daniel

-----Original Message-----
From: OhioHondo [mailto:ohiohondo@columbus.rr.com]
Sent: Sunday, 13 April 2003 04:48
To: Jennifer Bellucci; ccielab@groupstudy.com
Subject: RE: ACL Time Range with No Extra

Jennifer

If I understand the question I think this is what you mean?
section#1 -- if there can be fewer lines I don't see how
Cisco2610(config)#access-list 101 deny tcp any any eq www eq ftp time-range
RANGE1
Cisco2610(config)#access-list 101 deny udp any any time-range RANGE2
Cisco2610(config)#access-list 101 permit ip any any

for section# 2, insert* the following above permit statement
Cisco2610(config)#access-list 101 deny tcp any any eq bgp

The only way that I know how to do this is copy the existing ACL to Notepad,
insert the line, delete the ACL from the router and paste the new ACL to the
router. If there is a better way I'm anxious to have it in my toolbox.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Jennifer Bellucci
Sent: Saturday, April 12, 2003 12:56 PM
To: ccielab@groupstudy.com
Subject: ACL Time Range with No Extra

Hi People

I was doing some practice on ACL when I cam along a question about filters
and
using "as few lines as possible" phrase. Having seen this in the list
before,
it got me doing something I can't do to often...thinking.

Question is something like...Enable a filter, that filters FTP + WEB traffic
from 08:00 to 11:59 weekdays and UDP on weekends from 01:00 to 13:00. Use as
few lines as possible, when creating your filter. ( Denying the traffic
mentioned ) You should be able to the filter without having to remove first,
in the future.

Now say we have network :

R1------R2------R3

R1 is running OSPF and R3 is running EIGRP. R2 is performing red for both
and
the filter is to be on applied to both protocol interfaces of R2. I know the
filter is 2 lines, I know that, but if I was to apply the filter it would
block the ip updates and such. With no "permit ip any any", I am pretty much
lost. So, if I add this, how can I add to the filter later on when
everything
id permitted by the statement before? what about the routing updates. The
same
acl has to be activated on 2 interfaces and for 2 different protocols. I
then
come to the conclusion that by adding to the filter a specific permit for
ospf
and eigrp, everything is OK. Fine, four lines in the filter.2 for the
traffic,
2 for the protocols (still with me?). With no permit Ip any any, not all Ip
traffic will pass, will it? what about peering for other protocols not
mentioned? (Say you assumed you had DLSW also running somewhere and it has
to
use this link to peer) I don't think so. So I guess you have to add the
line.
If we made the IP line more specific, then we would have to add more than
one
line, because we don't know what major networks are connected to the EIGRP
or
OSPF networks.

After a few minutes, your asked to test your filter, add to filter so that
it
stops BGP TCP traffic. With a permit IP any any in the ACL, what do I do?
Can't remove it, how do I structure it so that I can deny the BGP traffic,
but
the ACL in the first part must be complete. Normally, if this was a normal
lab
I could mix the lines and off I go. Then comes the thing the really gets to
me, use as few lines as possible. With the question specifying 2 confirmed
lines and a third in part 2 of the question, how many lines do I need and
then. Will my filter allows normal required operation at the same time?

Maybe I am looking to deep into the question, or I created a question that
is
simply not possible? I don't know.
This is where you come in...help me find a solution. Pretty please with a
cherry on top.

Thanks

Jennifer B"ll{cci 3

Jennifer_bellucci@hotmail.com

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************

• Next message: Jeongwoo Park: "What is the default for Queuing?"
• Previous message: Aldo: "callmanager & unity version in ccie voice"
• Maybe in reply to: Jennifer Bellucci: "ACL Time Range with No Extra"
• Next in thread: Swink, Dave: "RE: ACL Time Range with No Extra"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:51 GMT-3