Using Time-Based Access-Lists

Problem

You want to filter application data based on the time of day.

Solution

To filter application data based on the time of day, use the following commands:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#time-range NOSURF
Router1(config-time-range)# periodic weekdays 9:00 to 17:00
Router1(config-time-range)#exit
Router1(config)#ip access-list extended NOSURFING
Router1(config-ext-nacl)# deny tcp any any eq www time-range NOSURF
Router1(config-ext-nacl)# permit ip any any
Router1(config-ext-nacl)#exit
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip access-group NOSURFING in 
Router1(config-if)#end
Router1#

This feature relies on an accurate system clock to function properly. It is highly recommended that you use NTP to synchronize the router's clock. See Chapter 14 for more information regarding NTP.

 

Discussion

Timed-based access-lists allow you to filter application data based on the time of day. In our example, we've built an access-list that denies HTTP traffic during the work hours, Monday to Friday, from 9:00 to 17:00. Timed-based access-lists also allows control over other router features, based on the time of day, such as policy-based routing, CAR statements, ACL logging, on-demand link activation, or security policies, to name a few.

To configure a timed-based access-list, you must first configure a time-range:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#time-range MONDAYONLY
Router2(config-time-range)#periodic monday 9:00 to 17:00
Router2(config-time-range)#end
Router2#

In this example, we've named the time-range MONDAYONLY, and assigned it a time range from Monday at 9:00 to 17:00. The periodic keyword is one way to define a time range. The other method is assign an absolute time by using the absolute keyword. Using the absolute method assigns a specific date in time to begin. The following is an example of a time range that uses the absolute keyword:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#time-range SAMPLE 
Router2(config-time-range)#absolute start 9:00 1 October 2006 end 18:00 31 December 2006
Router2(config-time-range)#end  
Router2#

Notice that we have set an exact date and time to start and end on using the absolute keyword. In this example, the start time is 9:00 on October 1, 2006, and the end time is 18:00 on December 31, 2006.

You can combine periodic and absolute statements within a single time range; however, keep in mind that the absolute statements are given priority:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#time-range SAMPLE 
Router2(config-time-range)#absolute start 9:00 1 October 2006 end 18:00 31 December 2006
Router2(config-time-range)#periodic monday 9:00 to 17:00
Router2(config-time-range)#end
Router2#

Notice in this example that we've included a periodic and absolute statement within the same time range. In this case, the periodic statement is ignored until the absolute start time is reached, and then each Monday the time range will become active. The same holds true for the absolute end time. Once we reach the absolute end time of 18:00 on December 31, then the periodic statements will again be ignored.

You can configure multiple periodic statements within a time range but only one absolute statement.

Once you configure the time range, then you can assign it to an ACL entry:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip access-list extended NOSURFING
Router1(config-ext-nacl)# deny tcp any any eq www time-range NOSURF
Router1(config-ext-nacl)# permit ip any any
Router1(config-ext-nacl)#end
Router1#

Notice that we've assigned the time range NOSURF to the first ACL entry. This ACL entry will become active when the time range becomes TRue. Once active, the ACL entry acts like a normal entry, and will start denying traffic that matches its criteria. In this case, during work hours, our ACL will deny all HTTP traffic.

If we look at the timed access-list during the evening hours, we will see the timed ACL entry is inactive:

Router1#show clock
20:10:50.985 EDT Tue Aug 22 2006
Router1#
Router1#show ip access-list
Extended IP access list NOSURFING
 10 deny tcp any any eq www time-range NOSURF (inactive)
 20 permit ip any any
Router1#

During this period, the timed ACL entry is marked inactive and HTTP-based traffic is allowed to pass. During normal workday hours, however, the timed ACL entry is changed to active and HTTP traffic is now blocked:

Router1#show clock
09:39:22.279 EDT Wed Aug 23 2006
Router1#
Router1#show ip access-list
Extended IP access list NOSURFING
 10 deny tcp any any eq www time-range NOSURF (active)
 20 permit ip any any
Router1#

You can also construct more complicated examples where different lines in the same ACL have different time-range rules. In the following example, we have defined two time ranges: one is called NOSURF, and is valid every day between 9:00 AM and 5:00 PM; the other is NOTELNET, and is valid between 5:00 PM and 9:00 AM:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#time-range NOSURF
Router(config-time-range)# periodic weekdays 9:00 to 17:00
Router1(config-time-range #exit
Router1(config)#time-range NOTELNET
Router1(config-time-range)# periodic weekdays 17:00 to 9:00
Router1(config-time-range)#exit
Router1(config)#ip access-list extended NOSURFING
Router1(config-ext-nacl)# deny tcp any any eq www time-range
NOSURF
Router1(config-ext-nacl)# deny tcp any any eq telnet time-range
NOTELNET
Router1(config-ext-nacl)# permit ip any any
Router1(config-ext-nacl)#end
Router1#

Then, when you look at this ACL with the show ip accesslist command, the output shows which timed lines are currently being used (active) and which are not (inactive):

Router1#show ip access-list NOSURFING
Extended IP access list NOSURFING
 10 deny tcp any any eq www time-range NOSURF (inactive)
 20 deny tcp any any eq telnet time-range NOTELNET (active)
 20 permit ip any any
Router1#

 

See Also

Chapter 14





Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net