Time-based ACLs

Time-based ACLs

Ever since Cisco released IOS 12.0.1T we’ve had the ability to broaden the reach of the extended ACL to allow the influence of time. Time-based ACLs reference a time range that is identified by a name, during that time the ACL is in effect. The time range relies on the router system clock. While router clock can be used, everything works better when using Network Time Protocol (NTP) synchronization.

Lets say company XYZ has realized that many of its employees are surfing the web during the day. They’ve asked you to block all web access during work hours. Simple enough, right? First we’ll define XYZ work hours within a time range. These are Monday – Friday 8:00am to 5:00pm. Next, we have to define the ACL that we’ll apply on our interface.

time-range XYZ-WORK-HOURS
  periodic weekdays 8:00 to 17:00
!
ip access-list extend DENY-WEB
  deny tcp any any eq www time-range WORK-HOURS
  permit ip any any

The morning after you make this change, the CEO of XYZ calls you in a panic. Apparently his company depends on an external web app… He now wants you to allow traffic to this server at 198.19.2.5 during work hours only. When configuring this condition we need to be careful — forgetting to add the deny statement shown in bold below will cause undesired results due to the explicit permit any at the end of the ACL.

ip access-list extend DENY-WEB
  permit tcp any host 198.19.2.5 eq www time-range WORK-HOURS
  deny tcp any host 198.19.2.5 eq www
  deny tcp any any eq www time-range WORK-HOURS
  permit ip any any

Now, lets move outside the realm of a simple ACL. Lets say you wanted to apply QoS to some traffic, but only during a specified time. Lets say, FTP traffic from 2:00am – 4:00am daily. Lucky for you you can apply a time-range to an ACL used in a class-map!

time-range EARLY-AM
 periodic daily 2:00 to 4:00 
!
ip access-list extended BACKUP-TRAFFIC
  permit tcp any any eq ftp time-range EARLY-AM
!
class-map match-all BACKUP-TRAFFIC
  match access-group name BACKUP-TRAFFIC
!
policy-map XYZ-remark
  class BACKUP-TRAFFIC
    set dscp af11
  ...
Tags :
comments powered by Disqus

Related Posts

Route Selection

Route Selection

One of the most common questions I get concerns path selection within the router. Everyone knows (or at least they should know) that a more specific prefix will be preferred, but …

Read More
Running JunOS under VMWare (updated – again!)

Running JunOS under VMWare (updated – again!)

Interested in trying out JunOS? Can’t afford to build a real Juniper lab? Sounds like you need some Olives. No, we’re not talking about the green fruit commonly seen in a martini …

Read More
RouterJockey is launching a clothing line?!?!???

RouterJockey is launching a clothing line?!?!???

Ok maybe that title is a bit grandiose… But due to the great response I received Friday morning from the launch of the original PCAP shirt, and the IPv6 follow-up, I decided to …

Read More