Using Time-Based Access-Lists

Problem

You want to filter application data based on the time of day.

Solution

To filter application data based on the time of day, use the following commands:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#time-range NOSURF Router1(config-time-range)# periodic weekdays 9:00 to 17:00 Router1(config-time-range)#exit Router1(config)#ip access-list extended NOSURFING Router1(config-ext-nacl)# deny tcp any any eq www time-range NOSURF Router1(config-ext-nacl)# permit ip any any Router1(config-ext-nacl)#exit Router1(config)#interface FastEthernet0/1 Router1(config-if)#ip access-group NOSURFING in Router1(config-if)#end Router1#

This feature relies on an accurate system clock to function properly. It is highly recommended that you use NTP to synchronize the router's clock. See Chapter 14 for more information regarding NTP.

 

Discussion

Timed-based access-lists allow you to filter application data based on the time of day. In our example, we've built an access-list that denies HTTP traffic during the work hours, Monday to Friday, from 9:00 to 17:00. Timed-based access-lists also allows control over other router features, based on the time of day, such as policy-based routing, CAR statements, ACL logging, on-demand link activation, or security policies, to name a few.

To configure a timed-based access-list, you must first configure a time-range:

Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#time-range MONDAYONLY Router2(config-time-range)#periodic monday 9:00 to 17:00 Router2(config-time-range)#end Router2#

In this example, we've named the time-range MONDAYONLY, and assigned it a time range from Monday at 9:00 to 17:00. The periodic keyword is one way to define a time range. The other method is assign an absolute time by using the absolute keyword. Using the absolute method assigns a specific date in time to begin. The following is an example of a time range that uses the absolute keyword:

Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#time-range SAMPLE Router2(config-time-range)#absolute start 9:00 1 October 2006 end 18:00 31 December 2006 Router2(config-time-range)#end Router2#

Notice that we have set an exact date and time to start and end on using the absolute keyword. In this example, the start time is 9:00 on October 1, 2006, and the end time is 18:00 on December 31, 2006.

You can combine periodic and absolute statements within a single time range; however, keep in mind that the absolute statements are given priority:

Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#time-range SAMPLE Router2(config-time-range)#absolute start 9:00 1 October 2006 end 18:00 31 December 2006 Router2(config-time-range)#periodic monday 9:00 to 17:00 Router2(config-time-range)#end Router2#

Notice in this example that we've included a periodic and absolute statement within the same time range. In this case, the periodic statement is ignored until the absolute start time is reached, and then each Monday the time range will become active. The same holds true for the absolute end time. Once we reach the absolute end time of 18:00 on December 31, then the periodic statements will again be ignored.

You can configure multiple periodic statements within a time range but only one absolute statement.

Once you configure the time range, then you can assign it to an ACL entry:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip access-list extended NOSURFING Router1(config-ext-nacl)# deny tcp any any eq www time-range NOSURF Router1(config-ext-nacl)# permit ip any any Router1(config-ext-nacl)#end Router1#

Notice that we've assigned the time range NOSURF to the first ACL entry. This ACL entry will become active when the time range becomes TRue. Once active, the ACL entry acts like a normal entry, and will start denying traffic that matches its criteria. In this case, during work hours, our ACL will deny all HTTP traffic.

If we look at the timed access-list during the evening hours, we will see the timed ACL entry is inactive:

Router1#show clock 20:10:50.985 EDT Tue Aug 22 2006 Router1# Router1#show ip access-list Extended IP access list NOSURFING 10 deny tcp any any eq www time-range NOSURF (inactive) 20 permit ip any any Router1#

During this period, the timed ACL entry is marked inactive and HTTP-based traffic is allowed to pass. During normal workday hours, however, the timed ACL entry is changed to active and HTTP traffic is now blocked:

Router1#show clock 09:39:22.279 EDT Wed Aug 23 2006 Router1# Router1#show ip access-list Extended IP access list NOSURFING 10 deny tcp any any eq www time-range NOSURF (active) 20 permit ip any any Router1#

You can also construct more complicated examples where different lines in the same ACL have different time-range rules. In the following example, we have defined two time ranges: one is called NOSURF, and is valid every day between 9:00 AM and 5:00 PM; the other is NOTELNET, and is valid between 5:00 PM and 9:00 AM:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#time-range NOSURF Router(config-time-range)# periodic weekdays 9:00 to 17:00 Router1(config-time-range #exit Router1(config)#time-range NOTELNET Router1(config-time-range)# periodic weekdays 17:00 to 9:00 Router1(config-time-range)#exit Router1(config)#ip access-list extended NOSURFING Router1(config-ext-nacl)# deny tcp any any eq www time-range NOSURF Router1(config-ext-nacl)# deny tcp any any eq telnet time-range NOTELNET Router1(config-ext-nacl)# permit ip any any Router1(config-ext-nacl)#end Router1#

Then, when you look at this ACL with the show ip accesslist command, the output shows which timed lines are currently being used (active) and which are not (inactive):

Router1#show ip access-list NOSURFING Extended IP access list NOSURFING 10 deny tcp any any eq www time-range NOSURF (inactive) 20 deny tcp any any eq telnet time-range NOTELNET (active) 20 permit ip any any Router1#

 

See Also

Chapter 14

Категории