Friday, November 30, 2007

Using Cisco's timed access-list (Part1)

Timed access-list are somehow "nice" but I haven't still used in a production network.

The initial reaction of people is "lets do some timed access-list" but then, when the reality comes, they get scare. The truth is that many times people want to have some features and capabilities and they get them. But then, when they find out is going to cost them some more administrative overhead they go away.

Well, the concept is quite simple. You have a network element which you want to control based on day/time/month, etc. Well, Cisco's timed access-list let you do that.

What a better way to explain something that with an example? Lets say you what your employees to be able to do web browsing only during Lunch in weekdays and any time at weekends.

Lets start with the definition of the time ranges:

time-range WebTime
periodic weekdays 12:00 to 13:00
periodic weekend 00:00 to 23:59

Define the access-list using the time range:

ip access-list extended ControlWeb
10 permit tcp any any eq www time-range WebTime
20 deny tcp any any eq www ! This will be matched if WebTime not in range
30 permit ip any any ! Permit anything else

Apply the access-list to the proper interface (either LAN or WAN, but make sure to correctly select outbound or inbound direction).

interface Serial 0/0
description WAN
ip access-group ControlWeb out

So there you go. You have a time-controlled browsing at your office.

Now, what about planning ahead the deployment of timed access-list. Well, wait for Part2 ;-)

No comments:

Post a Comment