8.2 - AK ACL cuts off all traffic between the hours of 9 and 5 ???

if the time range included every thing except the hours between 9 am and 5pm and the ACL has a permit on ip traffic then the acl is only allowing IP traffic after work hours.  So this ACL not only denies web surfing - it denies all traffic from the 9am to 5pm time frame.  The acl needs to be 3 lines - right?


  • I need some help on this one myself. I think I am way off on the interpretation.

    My thought was only 1 ACL line permit just access to the WWW server during business hours, and then by default the ACL is no longer active after that time allowing all traffic.

    What do you think?



  • I'm with you on this one.  I believe the Solution Guide is incorrect.  I think the answer is:

    ip access-list extended WEB
     permit tcp host eq www
     deny   tcp any eq www time-range WORKHOURS
     permit ip any any

    time-range WORKHOURS
     periodic weekdays 9:00 to 17:00

    interface Ethernet0/1
      ip access-group WEB in

    ntp server

    IMHO, not having accurate time on the router breaks this configureation, which is why I added the ntp server command.


  • I don't think the SG is incorrect as far as I understand. Let's take an example and walk through it.

    Its 7am on a Sunday.

    First ACL statement says to PERMIT anything that matches the time range - well 7am on a sunday matches the time range so yes it will permit it and that's the end of that ACL.

    Its 10am on Monday

    First statement of the ACL matches the time-range, well this is NOT in that range so it denies it. The ONLY traffic allowed is the one going to the internal webserver. I got this working on my home lab but who knows I might be wrong :)

    Hope this helped.

  • There are two ways to interpret this task. 

    The solution guide seems to interpret it this way:  Permit ONLY web traffic to a single web server during business hours.  Block all other IP traffic.

    I think a more reasonable interpretation of the question is:  During business hours the only WEB traffic that should be permitted is to a single web server.  Block all other WEB traffic duing business hours.  Allow all other IP traffic.



    There are two ways to interpret this task

    "use minimum amount of access-list entries"


    time-range WORKHOURS
     periodic weekdays 9:00 to 17:00


    Rack1R5(config-time-range)#periodic weekdays 09:00 to ?
      hh:mm  Ending time - stays valid until beginning of next minute

    Rack1R5(config-time-range)#periodic weekdays 09:00 to 16:59

    Although this is not so important, but with periodic weekdays 9:00 to 17:00 users will have access until end 17.00.59 :)))


  • Also forgot that SG says

    periodic weekdays 17:01 to 23:59 i think wrong

    because users will not  have full access from 17:00 to 17:01  [:D]

    "Works hours are from 9 AM to 5 PM Monday", but not to 17:01


  • Also forgot that SG says

    periodic weekdays 17:01 to 23:59 i think wrong

    because users will not  have full access from 17:00 to 17:01  Big Smile

    "Works hours are from 9 AM to 5 PM Monday", but not to 17:01



    Yes I agree,

    "periodic weekdays 17:01 to 23:59" from the solution guide is incorrect.  I think the answer should be "periodic weekdays 17:00 to 23:59".  This allows access begining exactly at 5:00pm.   5:01 would not meet the letter of the task.



  • i think there are two correct solutions.
    to clarify i would ask the proctor to be really sure:

    solution 1: deny WWW traffic during working hours to hosts which are not permittet, permit REST (non-www; e. g. mail)

    time-range WORK
     periodic weekdays 9:00 to 16:59    ! will match 09:00:00 - 15:59:59

    ip access-list extended WORKER
     permit tcp any host eq www
     deny   tcp any any eq www time-range WORK
     permit ip any any

    solution 2: permit ONLY www to internal host during working hours, block REST

    time-range NON-WORK
     periodic weekend 0:00 to 23:59            ! will match 00:00:00 - 23:59:59
     periodic weekdays 0:00 to 8:59        ! will match 00:00:00 - 08:59:59
     periodic weekdays 17:00 to 23:59    ! will match 17:00:00 - 23:59:59
    ip access-list extended WORKER2
     permit tcp any host eq www
     permit ip any any time-range NON-WORK
     deny   ip any any                       ! this line can be ignored


  • Two solution correct, we have use the second one, because we must apply "minimum amount access list entries :)

  • I just tried this with a Server plugged into vlan 5 ip address could not even ping without the permit ip any any during the work hours. Once I added the permit statement I could ping throughout the Lab

  • Thanks for testing it practically and conveying.  I was also at this lab/task now.



  • It does say "block these user's activities so that they can only go to your internal web server at 148.x.3.100".

    Now, I would take that to mean:

    1. As it doesn't say some users... It only says users on VLAN 5, that means every user/host.
    2. Only the webserver. Well, who cares if they have access to anything else. It said only the webserver.
    3. Why TCP-80? It states the webserver as an IP address, not a service. So... They could have https or email, or whatever on the webserver. They should still be able to get to it. They didn't say WEBSERVICE.

Sign In or Register to comment.