Security

Time-based ACLs

Tony Mattke · 2011.04.25 · 2 min read

Ever since Cisco released IOS 12.0.1T we’ve had the ability to broaden the reach of the extended ACL to allow the influence of time. Time-based ACLs reference a time range that is identified by a name, during that time the ACL is in effect. The time range relies on the router system clock. While router clock can be used, everything works better when using Network Time Protocol (NTP) synchronization.

Lets say company XYZ has realized that many of its employees are surfing the web during the day. They’ve asked you to block all web access during work hours. Simple enough, right? First we’ll define XYZ work hours within a time range. These are Monday – Friday 8:00am to 5:00pm. Next, we have to define the ACL that we’ll apply on our interface.

text
time-range XYZ-WORK-HOURS
  periodic weekdays 8:00 to 17:00
!
ip access-list extend DENY-WEB
  deny tcp any any eq www time-range WORK-HOURS
  permit ip any any

The morning after you make this change, the CEO of XYZ calls you in a panic. Apparently his company depends on an external web app… He now wants you to allow traffic to this server at 198.19.2.5 during work hours only. When configuring this condition we need to be careful — forgetting to add the deny statement shown in bold below will cause undesired results due to the explicit permit any at the end of the ACL.

text
ip access-list extend DENY-WEB
  permit tcp any host 198.19.2.5 eq www time-range WORK-HOURS
  deny tcp any host 198.19.2.5 eq www
  deny tcp any any eq www time-range WORK-HOURS
  permit ip any any

Now, lets move outside the realm of a simple ACL. Lets say you wanted to apply QoS to some traffic, but only during a specified time. Lets say, FTP traffic from 2:00am – 4:00am daily. Lucky for you you can apply a time-range to an ACL used in a class-map!

text
time-range EARLY-AM
 periodic daily 2:00 to 4:00
!
ip access-list extended BACKUP-TRAFFIC
  permit tcp any any eq ftp time-range EARLY-AM
!
class-map match-all BACKUP-TRAFFIC
  match access-group name BACKUP-TRAFFIC
!
policy-map XYZ-remark
  class BACKUP-TRAFFIC
    set dscp af11
  ...
More in Security
Tags :
comments powered by Disqus

Related Posts

2011.02.01 Switching 4 min read

Nexus Virtual Port Channel (vPC)

The Nexus 7000 and 5000 series have taken port-channel functionality to the next level by enabling port-channels to exist between links that are connected to different devices.

2011.09.06 Security 8 min read

Best Practices and Securing Cisco IOS

Everyone has different views on hardening IOS, and while I do not claim to be an expert, these are the practices that I commonly use when bringing up a new device.

2014.10.13 Design & Architecture 3 min read

Network Design — Keeping it simple

Since the dawn of time people have skirted best practice and banged together networks, putting the proverbial square peg in the esoteric round hole.