From: Jonathan V Hays (jhays@jtan.com)
Date: Tue Nov 25 2003 - 13:51:31 GMT-3
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tony Singh (A)
Sent: Tuesday, November 25, 2003 11:26 AM
To: ccielab@groupstudy.com
Subject: Time-based ACLs
Hi all
Can someone please clarify for me the following:
The following example denies HTTP traffic on Monday through Friday
from 8:00 a.m. to 6:00 p.m. on IP. The example allows UDP traffic on
Saturday and Sunday from noon to 8:00 p.m. only.
time-range no-http
periodic weekdays 8:00 to 18:00
!
time-range udp-yes
periodic weekend 12:00 to 20:00
!
ip access-list extended strict
deny tcp any any eq http time-range no-http
permit udp any any time-range udp-yes
!
interface ethernet 0
ip access-group strict in
My question is:
According to this this example HTTP is denied at that specific time
but UDP traffic is denied at that specific times. What about the rest
of the IP traffic. Will it all be denied as there is a deny any at
the end of every ACL. On every example that I looked up on Cisco's
site there is no mention of the rest of the traffic. Is there a reason
for this or am I missing sometime.
Please help.
Anesh Singh (A)
SinghA1@telkom.co.za
===========
Yes, there is always an implied 'deny any' at the end. With a time-based
ACL it's usually a good idea to add a non-time-based entry for the same
traffic, since the time-based line in the ACL is only in effect during
the configured time range, and completely ignored otherwise.
Below I've modified your ACL so that HTTP is denied during your time
range and permitted outside the time range.
ip access-list extended strict
deny tcp any any eq http time-range no-http
permit tcp any any eq http
HTH,
Jonathan
This archive was generated by hypermail 2.1.4 : Fri Dec 12 2003 - 12:29:17 GMT-3