Saturday, January 5, 2013

Using time_based_controls cisco ACLs

Some times you want  to control traffic to a certain site by TOD ( time of day ). Cisco offers this via the time range option and by strategic placement you can control various access.

E.g let's say we only control  outbound traffic for  ssh , and between the hours 16:00 and to 21:00.

1st we create a time-range

time-range 16_21
 periodic weekdays 16:00 to 21:00
!


2nd we  build our acl and reference the time-range in our extended ACL

ip access-list extended myout
 remark ACL allowing trafic outbound leaving my network
 permit   tcp any host 1.1.1.1 eq 22 time-range 16_21

 deny tcp any host 1.1.1.1 eq 22
 permit ip any any
!


3rd we apply ACL on interface

interface FastEthernet0/1
 ip address dhcp
 ip access-group myout out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto








Lastly since these are  TOD sensitive, we should set the clock and use NTP to maintain clocking. You can  validate if the  TOD ACL entries are active or not-active via the show ip access-list cmd

(inactive )


ccie_router#show ip access-list myout
Extended IP access list myout
    10 deny tcp any host 1.1.1.2 eq 2022 time-range 16_21 (inactive) (2 matches) 


( active)

ccie_router#show ip access-list myout
Extended IP access list myout
    10 deny tcp any host 1.1.1.2 eq 2022 time-range 16_17 (active) (2 matches)
  



TOD acl entries can be done via these options;

ccie_router(config-time-range)#periodic ?
  Friday     Friday
  Monday     Monday
  Saturday   Saturday
  Sunday     Sunday
  Thursday   Thursday
  Tuesday    Tuesday
  Wednesday  Wednesday
  daily      Every day of the week
  weekdays   Monday thru Friday
  weekend    Saturday and Sunday


And you can also specified an absolute time;


e.g
!
time-range mytime
 absolute start 18:11 03 January 2013 end 18:11 06 January 2013
!



you can also group periodic events;


time-range nightly_transfers-BankBranch
 periodic weekdays 16:00 to 17:00
 periodic weekdays 19:00 to 21:00

 periodic weekdays 22:01 to 23:59
!

The later TOD entry is what I used to allow for various bank branches  allowance and for the transfers of files. So a entry like that could be used inbound on a interface and allows inbound traffic at the times and duration listed.

e.g




!
int fas 0/1
   description  100meg line to Comcast
   ip address 8.8.8.8 255.255.255.0
   ip access-group  site1in in
!
!
ip access-list extended site1_in
  permit tcp host 1.1.1.1 gt 1024 host 2.2.2.2 eq www time-range nightly_transfers-BankBranch
  permit tcp host 1.1.1.2 gt 1024 host 2.2.2.2 eq www time-range nightly_transfers-BankBranch
  permit tcp host 1.1.1.3 gt 1024 host 2.2.2.2 eq www time-range nightly_transfers-BankBranch
  permit tcp host 1.1.1.4 gt 1024 host 2.2.2.2 eq www time-range nightly_transfers-BankBranch

!

!


Ken Felix
Freelance Network & Security Engineer
kfelix@ hyperfeed  com

No comments:

Post a Comment