RE: Clarification on time range acl

From: ccie2be (ccie2be@nyc.rr.com)
Date: Sun May 29 2005 - 15:37:55 GMT-3

• Next message: gladston@br.ibm.com: "Re: Port Scan"
• Previous message: thomas.rader@freesurf.ch: "NTP question"
• Maybe in reply to: Chad Hintz: "Clarification on time range acl"
• Next in thread: ccie2be: "RE: Clarification on time range acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Chad,

Not that long ago, I also looked into this issue.

Here's what you need to understand about time ranges and acl's.

When a time-range is inactive, it's as if that entry in the acl doesn't
exist. However, the acl itself does exist even if that time range based
entry is the only entry in the acl which means that you're implicitly
denying everything when the time range is inactive.

IOW, an acl with 1 explicit entry with an inactive time-range is exactly
like having this acl: access-list 100 deny any any

Stated differently, if an acl entry denies when the time range is active,
the acl entry does NOT permit when the time range is inactive. Instead,
pkts are compared to the next entry in the acl as usual. If there is no
next entry, then the pkt is compared to the implicit deny any any.

HTH, Tim

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Chad
Hintz
Sent: Sunday, May 29, 2005 2:07 PM
To: ccie lab
Subject: Clarification on time range acl

Hi all,
 
My lab setup for this scenrio is bb1-ethernet-r1-frame-r2-e0/0(189.18.23.2).
If I want to not allow http traffic outbound of r1 during the weekdays
between 8am and 6pm.(from cisco's example on the doccd)
 
1.)I created a time-range no-http for 08:00 to 18:00
2.) created an acl-access-list 103 deny tcp any any eq www time-range
no-http
3.) applied it outbound on r1's fa0/0- ip access-group 103 out
 
I see that it is active when I look at the sh ip access-list output and I
can not telnet on port 80(sourced from the correct interface on bb1), when I
change the clock in r1 to be a weekend day the state changes to inactive but
I still cannot telnet on port 80.
 
So my question is do I have to have a permit for each deny after the time
range acl?
 
I put a permit tcp any any eq www and when the time-range acl is inactive I
still cannot telnet on port 80 to 189.18.23.2 from bb1. Only when I unapply
the acl am I allowed to telnet on port 80.
 
I guess I am confused about the whole concept, I thought that with it being
inactive I should be able to use http and any other protocol and during
active I would not be able to use http or any other protocol unless I
permitted it lower in the acl.
 
 
Thanks in advance,
 
Chad
 

• Next message: gladston@br.ibm.com: "Re: Port Scan"
• Previous message: thomas.rader@freesurf.ch: "NTP question"
• Maybe in reply to: Chad Hintz: "Clarification on time range acl"
• Next in thread: ccie2be: "RE: Clarification on time range acl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3