4 Replies Latest reply: Mar 21, 2012 3:33 AM by Cristian RSS

    Time based ACLs

    ericleahy - CCIE#46696

      Hi guys,


      This is a nice quick one, which I think I already know the answer to. How many time-range ACL's can be applied to the same access list, to the same host, in the same traffic direction?  Example;


      time-range UPDATES_DECEMBER_15

      absolute start 12:00 15 December 2012 end 14:00 15 December 2012



      absolute start 12:00 22 December 2012 end 14:00 22 December 2012


      access-list MATCH-WEB-TRAFFFIC extended deny tcp host any eq www time-range UPDATES_DECEMBER_15

      access-list MATCH-WEB-TRAFFFIC extended deny tcp host any eq www time-range UPDATES_DECEMBER_22


      My feeling after many hours of testing is you can only have one?


      Thanks guys



        • 1. Re: Time based ACLs
          Fabio - FW specialist

          yes, just one


          try with

          time-range XXXXX

             periodic xxx xxxx xxxx




          • 2. Re: Time based ACLs
            ericleahy - CCIE#46696

            Hi Fabio,


            Yeah I was thinking that you could only have one time-range per ACL. Now my understanding for how a time-range group works is, the absolute command string means anytime between the start and end time activate the ACL. So the periodic command string will match anything within this time frame, weekday or weekend, activate the ACL to which the time-range is configured with.


            Now if I was to use the absolute along with the periodic command string within the same time-range group, the absolute must match first before the periodic would be referenced by the firewall. So maybe you can answer me this then, if I use the following time-range syntax;


            time-range UPDATES

            absolute start 12:00 15 January 2012 end 14:00 22 December 2012

            periodic wednesday 12:00 to 14:00


            access-list MATCH-WEB-TRAFFFIC extended deny tcp host any eq www time-range UPDATES


            Would this mean that the time range for the ACL to be active would be every Wednesday between 12:00 to 14:00 from January 15th to December 22nd? Or does the absolute command override the periodic command and the ACL is active from 12:00 on January 15th to 14:00 on December 22nd?


            Thanks for the help



            • 3. Re: Time based ACLs

              Interesting kind of doubt!


              Copying exactly from the "Time-Based Access Lists using time ranges", consider that:



              If a time-range command has both absolute and periodic values specified, then the periodic items

              are evaluated only after the absolute start time is reached, and are not further evaluated after the

              absolute end time is reached.




              I am then pretty sure that the periodic time range validity occurs inside the absolute time range validity, in a logical AND fashion. To be clear:



              ABSOLUTE:     START                                                          END



              PERIODIC:                  |--------|      |---------|      |---------|     |---------|  



              RESULTS:                  |--------|      |---------|      |---------|     |---------|    



              Do tou agree?



              Doc link:   http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/timerang.pdf





              • 4. Re: Time based ACLs
                ericleahy - CCIE#46696

                Just a quick update. Have tested my question from above and have found out the following;


                The absolute syntax does not override the periodic time. For my test I used the following commands;


                time-range TEST

                absolute start 09:55 21 March 2012 end 10:30 21 March 2012

                periodic Wednesday 10:00 to 10:10


                access-list inside_in extended permit ip any any time-range TEST


                So I tried to connect out to the internet at 09:56 with no success. I then tried to connect again to the internet at 10:01 with success. I once again tried to connect at 10:11 with no success. So this has shown me that the periodic time syntax is used once it falls between the times outline in the absolute syntax.


                So I think I might as well just use a time-range that will only use a periodic time. My need is to only allow my Windows update server reach the internet on the day after new updates are released. It would be nice tho if you could use multiple time-ranges within a ACL for the same host, it would make my life a lot easier


                Also I have the FIREWALL study book and it did not say I could not have multiple time-ranges within the same ACL for the same host? Be nice if it did, would of saved me a couple of hours of pain


                Thanks for the input Fabio