4 Replies Latest reply: Mar 21, 2012 3:33 AM by Cristian RSS

    Time based ACLs

    ericleahy - CCNP, CCDP, CCNA SEC

      Hi guys,

       

      This is a nice quick one, which I think I already know the answer to. How many time-range ACL's can be applied to the same access list, to the same host, in the same traffic direction?  Example;

       

      time-range UPDATES_DECEMBER_15

      absolute start 12:00 15 December 2012 end 14:00 15 December 2012

      !

      time-rangeUPDATES_DECEMBER_22

      absolute start 12:00 22 December 2012 end 14:00 22 December 2012

       

      access-list MATCH-WEB-TRAFFFIC extended deny tcp host 192.168.10.10 any eq www time-range UPDATES_DECEMBER_15

      access-list MATCH-WEB-TRAFFFIC extended deny tcp host 192.168.10.10 any eq www time-range UPDATES_DECEMBER_22

       

      My feeling after many hours of testing is you can only have one?

       

      Thanks guys

       

      Eric

        • 1. Re: Time based ACLs
          Fabio - FW specialist

          yes, just one

           

          try with

          time-range XXXXX

             periodic xxx xxxx xxxx

           

           

          fabio

          • 2. Re: Time based ACLs
            ericleahy - CCNP, CCDP, CCNA SEC

            Hi Fabio,

             

            Yeah I was thinking that you could only have one time-range per ACL. Now my understanding for how a time-range group works is, the absolute command string means anytime between the start and end time activate the ACL. So the periodic command string will match anything within this time frame, weekday or weekend, activate the ACL to which the time-range is configured with.

             

            Now if I was to use the absolute along with the periodic command string within the same time-range group, the absolute must match first before the periodic would be referenced by the firewall. So maybe you can answer me this then, if I use the following time-range syntax;

             

            time-range UPDATES

            absolute start 12:00 15 January 2012 end 14:00 22 December 2012

            periodic wednesday 12:00 to 14:00

             

            access-list MATCH-WEB-TRAFFFIC extended deny tcp host 192.168.10.10 any eq www time-range UPDATES

             

            Would this mean that the time range for the ACL to be active would be every Wednesday between 12:00 to 14:00 from January 15th to December 22nd? Or does the absolute command override the periodic command and the ACL is active from 12:00 on January 15th to 14:00 on December 22nd?

             

            Thanks for the help

             

            Eric

            • 3. Re: Time based ACLs
              Cristian

              Interesting kind of doubt!

               

              Copying exactly from the "Time-Based Access Lists using time ranges", consider that:

               

               

              If a time-range command has both absolute and periodic values specified, then the periodic items

              are evaluated only after the absolute start time is reached, and are not further evaluated after the

              absolute end time is reached.

               

               

               

              I am then pretty sure that the periodic time range validity occurs inside the absolute time range validity, in a logical AND fashion. To be clear:

               

               

              ABSOLUTE:     START                                                          END

                                          |------------------------------------------------------------------|

               

              PERIODIC:                  |--------|      |---------|      |---------|     |---------|  

               

               

              RESULTS:                  |--------|      |---------|      |---------|     |---------|    

               

               

              Do tou agree?

               

               

              Doc link:   http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/timerang.pdf

               

               

               

              Cristian

              • 4. Re: Time based ACLs
                ericleahy - CCNP, CCDP, CCNA SEC

                Just a quick update. Have tested my question from above and have found out the following;

                 

                The absolute syntax does not override the periodic time. For my test I used the following commands;

                 

                time-range TEST

                absolute start 09:55 21 March 2012 end 10:30 21 March 2012

                periodic Wednesday 10:00 to 10:10

                 

                access-list inside_in extended permit ip any any time-range TEST

                 

                So I tried to connect out to the internet at 09:56 with no success. I then tried to connect again to the internet at 10:01 with success. I once again tried to connect at 10:11 with no success. So this has shown me that the periodic time syntax is used once it falls between the times outline in the absolute syntax.

                 

                So I think I might as well just use a time-range that will only use a periodic time. My need is to only allow my Windows update server reach the internet on the day after new updates are released. It would be nice tho if you could use multiple time-ranges within a ACL for the same host, it would make my life a lot easier

                 

                Also I have the FIREWALL study book and it did not say I could not have multiple time-ranges within the same ACL for the same host? Be nice if it did, would of saved me a couple of hours of pain

                 

                Thanks for the input Fabio