Some times you want to control traffic to a certain site by TOD ( time of day ). Cisco offers this via the time range option and by strategic placement you can control various access.
E.g let's say we only control outbound traffic for ssh , and between the hours 16:00 and to 21:00.
1st we create a time-range
time-range 16_21
periodic weekdays 16:00 to 21:00
!
2nd we build our acl and reference the time-range in our extended ACL
ip access-list extended myout
remark ACL allowing trafic outbound leaving my network
permit tcp any host 1.1.1.1 eq 22 time-range 16_21
deny tcp any host 1.1.1.1 eq 22
permit ip any any
!
3rd we apply ACL on interface
interface FastEthernet0/1
ip address dhcp
ip access-group myout out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
Lastly since these are TOD sensitive, we should set the clock and use NTP to maintain clocking. You can validate if the TOD ACL entries are active or not-active via the show ip access-list cmd
(inactive )
ccie_router#show ip access-list myout
Extended IP access list myout
10 deny tcp any host 1.1.1.2 eq 2022 time-range 16_21 (inactive) (2 matches)
( active)
ccie_router#show ip access-list myout
Extended IP access list myout
10 deny tcp any host 1.1.1.2 eq 2022 time-range 16_17 (active) (2 matches)
TOD acl entries can be done via these options;
ccie_router(config-time-range)#periodic ?
Friday Friday
Monday Monday
Saturday Saturday
Sunday Sunday
Thursday Thursday
Tuesday Tuesday
Wednesday Wednesday
daily Every day of the week
weekdays Monday thru Friday
weekend Saturday and Sunday
And you can also specified an absolute time;
e.g
!
time-range mytime
absolute start 18:11 03 January 2013 end 18:11 06 January 2013
!
you can also group periodic events;
time-range nightly_transfers-BankBranch
periodic weekdays 16:00 to 17:00
periodic weekdays 19:00 to 21:00
periodic weekdays 22:01 to 23:59
!
The later TOD entry is what I used to allow for various bank branches allowance and for the transfers of files. So a entry like that could be used inbound on a interface and allows inbound traffic at the times and duration listed.
e.g
!
!
int fas 0/1
description 100meg line to Comcast
ip address 8.8.8.8 255.255.255.0
ip access-group site1in in
!
!
ip access-list extended site1_in
permit tcp host 1.1.1.1 gt 1024 host 2.2.2.2 eq www time-range nightly_transfers-BankBranch
permit tcp host 1.1.1.2 gt 1024 host 2.2.2.2 eq www time-range nightly_transfers-BankBranch
permit tcp host 1.1.1.3 gt 1024 host 2.2.2.2 eq www time-range nightly_transfers-BankBranch
permit tcp host 1.1.1.4 gt 1024 host 2.2.2.2 eq www time-range nightly_transfers-BankBranch
!
!
Ken Felix
Freelance Network & Security Engineer
kfelix@ hyperfeed com
No comments:
Post a Comment