- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Time-range ACL posted 03/09/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

Thank you Scott, 
that is only one example about time-range ACL in Cisco documentation I 
found. In the example under your link thay want to deny http traffic on Mo 
to Fr from 8:00 to 18:00. Indeed, in time the time-range is active the 
access list on interface ethernet 0 is blocking WEB traffic. But I think, 
that WEB traffic is always bloced by that ACL. In time the time-range 
no-http is inactive WEb traffic (likewise all other traffic, except udp on 
weekedn from 12:00 to 20:00) is bloced by implicit deny any any on the end 
of ACL.

Example from Scott link:
Time Range Applied to an IP Access List Example
The following example denies HTTP traffic on Monday through Friday from 
8:00 a.m. to 6:00 p.m. on IP. The example allows UDP traffic on Saturday 
and Sunday from noon to 8:00 p.m. only. 

time-range no-http 
 periodic weekdays 8:00 to 18:00 
time-range udp-yes 
 periodic weekend 12:00 to 20:00 
ip access-list extended strict 
 deny tcp any any eq http time-range no-http 
 permit udp any any time-range udp-yes 
interface ethernet 0 
 ip access-group strict in 

My consideration from my last mail have second question:
If I bind a "dumy" (no defined) ACL to interface, the IOS make no filter 
proccess on that interface. Its means, no kind of packed is bloced. Packed 
is send to check by ACL after I define a first line in ACL.
If I have a ACL with only one line with  time-range statement on the end 
it works similar in "active" period. What about "inactive" period ? Is 
then ACL defined or not? After my test I think that yes, but I want to 
confirm by any authority.

you are using a "positive logic" (permit statement), but if the task is to block same traffic in the middle of week and middle of day (i.e. Wednesday, 
12:00 - 14:00) you time-range must to by complicated.


"Scott M. Livingston" <scottl@xxxxxxxxxxxxxxxxx>
Sent by: nobody@xxxxxxxxxxxxxx
03-03-08 23:17
Please respond to "Scott M. Livingston"

        To:     <Wojciech.Gebka@xxxxxxxxxx>, <ccielab@xxxxxxxxxxxxxx>
        Subject:        RE: Time-range ACL

I would just answer your question, but I am not sure I fully understand
it.  Try this url and let us know if you are still having problems.


-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx] On Behalf Of
Sent: Saturday, March 08, 2003 3:34 PM
To: ccielab@xxxxxxxxxxxxxx
Subject: Time-range ACL

Hi, Group

I need confirmation, because nowhere can I find it.

For a time-range ACL:

access-list 100 deny tcp any any eq www time-range Monday

On monday ACL 100 look like:
access-list 100 deny tcp any any eq www
access-list 100 deny ip any any (implicit deny)

Every other days:
access-list 100 deny ip any any (implicit deny)

Is it true?