PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:security:network-security:acl:time-based-acl:time-based-acl

Cisco: Time-based ACL

Tasks

  1. time-range periodic
  2. time-range absolute
  3. verify time-range and ACL many combination behavior

Lab

Configuration

! Friday
clock set 00:00:00 28 Aug 2020
! Saturday
clock set 00:00:00 29 Aug 2020
! Sunday
clock set 00:00:00 30 Aug 2020
! Monday
clock set 00:00:00 31 Aug 2020
! Tuesday
clock set 00:00:00 1 Sep 2020
! Wednesday
clock set 00:00:00 2 Sep 2020
! Thursday
clock set 00:00:00 3 Sep 2020
! Friday
clock set 00:00:00 4 Sep 2020
! Saturday
clock set 00:00:00 5 Sep 2020
! Sunday
clock set 00:00:00 6 Sep 2020
! Monday
clock set 00:00:00 7 Sep 2020
! Absolute 2019-12-31 23:59:00
clock set 23:59:00 31 Dec 2019
configure terminal
!
time-range TIME_RANGE_WEEKEND
 periodic weekend 00:02 to 00:04
!
! valid until 00:00:00 ~ 00:04:59
time-range TIME_RANGE_2020_HAPPY_NEW_YEAR
 absolute start 00:00 1 Jan 2020 end 00:04 1 Jan 2020
!
access-list 101 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_XXXXXXXXXX
access-list 101 permit ip 172.16.0.0 0.0.255.255 10.2.3.0 0.0.0.255
access-list 101 permit ip any 224.0.0.0 15.255.255.255
access-list 101 permit eigrp any any
!
interface GigabitEthernet 0/1
 ip access-group 101 in
!
end

Verification 16217734-0e98-4562-8873-10a47b1f75fd

Verification commands

show time-range
show access-lists
show clock
ping 10.2.3.3 source 10.1.2.1 repeat 2147483647
ping 10.2.3.3 source 172.16.11.1

how evaluate permit ip any any

If following rule defined,

configure terminal
!
access-list 101 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_XXXXXXXXXX
access-list 101 permit ip any any
!
end

ICMP packet will match if TIME_RANGE_XXXXXXXXXX is active, but TIME_RANGE_XXXXXXXXXX is inactive,

access-list 101 permit icmp 10.1.2.0 0.0.0.255 10.2.3.0 0.0.0.255 time-range TIME_RANGE_XXXXXXXXXX

not mean deny rule, so that ICMP packet matches access-list 101 permit ip any any.

R1 Console Log

R2 Console Log

Summary

  1. start time delays 30 sec to 60 sec. But I can't identify NTP to manual configuration effect
  2. shutdown and boot again start time is not delayed significantly.
  3. Important: end time 00:02 means active until 00:02:59.

References

tech/network/cisco/security/network-security/acl/time-based-acl/time-based-acl.txt · Last modified: 2020/08/30 12:03 by wnoguchi