time-based acl

marco_fera

Hi I've seen time-based acl in two different formats. For example if I want to define the range from 8am to 5pm I've seen sometimes this format

periodic weekdays 08:00 to 16:59

 

while elsewhere they are in the format

periodic weekdays 08:00 to 17:00

 

The reason why you write 16:59 is that the range actually lasts till 16:59:59 so from 17:00 onwards the acl is no more active, while if you write 17:00 it will be active until 17:00:59. However I've seen the second format so many times in so many places.

What is the exact way of writing a time-based acl? or better, what is the way of writing an acl that is considered correct at the lab? I think this is one of the stupid tricks that make you lose points.

Thanks everyone

M

 

 

qqabdal

Hi Marco,

Quite honestly, I am not sure if this will make you lose points in the lab exam. But the MOST accurate way to configure this would be to use your first example up to 16:59.

So in the lab, go with the first format.

HTH

Good luck!

Hari.sapkota

Hi Marco,

Yes, you can write the time-based ACL in different ways. Here is the example:

Suppose you need to allow Web traffic from 10:00am to 6:00pm, you can configure the time-range & ACL as follows:

 

Option 1:

time-range WEB

 periodic weekdays 10:00 to 17:59

ip access-list extended TIME-BASED

 permit ip 192.168.20.0 0.0.0.255 any time-range WEB

 

Option 2:

ip access-list extended TIME-BASED

 deny ip 192.168.20.0 0.0.0.255 any time-range WEB1

 permit ip any any

time-range WEB1

 periodic weekdays 18:00 to 23:59

 periodic weekdays 0:00 to 9:59

Both the scenario work similarly.

Hope this helps!

marco_fera

Hi Marco,

Yes, you can write the time-based ACL in different ways. Here is the example:

Suppose you need to allow Web traffic from 10:00am to 6:00pm, you can configure the time-range & ACL as follows:

 

Option 1:

time-range WEB

 periodic weekdays 10:00 to 17:59

ip access-list extended TIME-BASED

 permit ip 192.168.20.0 0.0.0.255 any time-range WEB

 

Option 2:

ip access-list extended TIME-BASED

 deny ip 192.168.20.0 0.0.0.255 any time-range WEB1

 permit ip any any

time-range WEB1

 periodic weekdays 18:00 to 23:59

 periodic weekdays 0:00 to 9:59

Both the scenario work similarly.

Hope this helps!

Hi,

 

ok but this example is for "positive" or "negative" way of writing things, but I meant another thing.

You wrote

 periodic weekdays 10:00 to 17:59

 

because you wanted the acl not to be matched at 18:00. This is formally correct but even cisco documentation reports a different syntax

See this at

http://www.cisco.com/en/US/docs/ios-xml/ios/bsm/command/bsm-cr-n1.html#GUID-ECF9CF93-F944-4E29-969A-502039A708F1

in practice even cisco tells you that you should write

periodic weekdays 10:00 to 18:00

which is supposed to be wrong.

 

 

 

qqabdal

If you write 18:00 it will run at 18:00:59, so technically this is not accomplishing 18:00 sharp! That's why you want to write it 16:59, as it will run until 16:59:59.

marco_fera

If you write 18:00 it will run at 18:00:59, so technically this is not accomplishing 18:00 sharp! That's why you want to write it 16:59, as it will run until 16:59:59.

I agree, so the definitive answer is that cisco documentation is wrong and one should write "last hour":"59" for the match to be ok, right?

qqabdal

I agree, so the definitive answer is that cisco documentation is wrong and one should write "last hour":"59" for the match to be ok, right?

Yep; I think the best word here is that it is not precise. 59 is definitely the most accurate one here.