time-based acl

Hi I've seen time-based acl in two different formats. For example if I want to define the range from 8am to 5pm I've seen sometimes this format

periodic weekdays 08:00 to 16:59

 

while elsewhere they are in the format

periodic weekdays 08:00 to 17:00

 

The reason why you write 16:59 is that the range actually lasts till 16:59:59 so from 17:00 onwards the acl is no more active, while if you write 17:00 it will be active until 17:00:59. However I've seen the second format so many times in so many places.

What is the exact way of writing a time-based acl? or better, what is the way of writing an acl that is considered correct at the lab? I think this is one of the stupid tricks that make you lose points.

Thanks everyone

M

 

 

Comments

  • Hi Marco,

    Quite honestly, I am not sure if this will make you lose points in the lab exam. But the MOST accurate way to configure this would be to use your first example up to 16:59.

    So in the lab, go with the first format.

    HTH

    Good luck!

  • Hi Marco,

    Yes, you can write the time-based ACL in different ways. Here is the example:

    Suppose you need to allow Web traffic from 10:00am to 6:00pm, you can configure the time-range & ACL as follows:

     

    Option 1:

    time-range WEB

     periodic weekdays 10:00 to 17:59

    ip access-list extended TIME-BASED

     permit ip 192.168.20.0 0.0.0.255 any time-range WEB

     

    Option 2:

    ip access-list extended TIME-BASED

     deny ip 192.168.20.0 0.0.0.255 any time-range WEB1

     permit ip any any

    time-range WEB1

     periodic weekdays 18:00 to 23:59

     periodic weekdays 0:00 to 9:59


    Both the scenario work similarly. :)


    Hope this helps!
  • Hi Marco,

    Yes, you can write the time-based ACL in different ways. Here is the example:

    Suppose you need to allow Web traffic from 10:00am to 6:00pm, you can configure the time-range & ACL as follows:

     

    Option 1:

    time-range WEB

     periodic weekdays 10:00 to 17:59

    ip access-list extended TIME-BASED

     permit ip 192.168.20.0 0.0.0.255 any time-range WEB

     

    Option 2:

    ip access-list extended TIME-BASED

     deny ip 192.168.20.0 0.0.0.255 any time-range WEB1

     permit ip any any

    time-range WEB1

     periodic weekdays 18:00 to 23:59

     periodic weekdays 0:00 to 9:59


    Both the scenario work similarly. :)


    Hope this helps!

    Hi,

     

    ok but this example is for "positive" or "negative" way of writing things, but I meant another thing.

    You wrote

     periodic weekdays 10:00 to 17:59

     

    because you wanted the acl not to be matched at 18:00. This is formally correct but even cisco documentation reports a different syntax

    See this at

    http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-ECF9CF93-F944-4E29-969A-502039A708F1

    in practice even cisco tells you that you should write

    periodic weekdays 10:00 to 18:00

    which is supposed to be wrong.

     

     

     

  • If you write 18:00 it will run at 18:00:59, so technically this is not accomplishing 18:00 sharp! That's why you want to write it 16:59, as it will run until 16:59:59.

  • If you write 18:00 it will run at 18:00:59, so technically this is not accomplishing 18:00 sharp! That's why you want to write it 16:59, as it will run until 16:59:59.

    I agree, so the definitive answer is that cisco documentation is wrong and one should write "last hour":"59" for the match to be ok, right?

  • I agree, so the definitive answer is that cisco documentation is wrong and one should write "last hour":"59" for the match to be ok, right?

    Yep; I think the best word here is that it is not precise. 59 is definitely the most accurate one here.

Sign In or Register to comment.