Friday, November 30, 2007

Using Cisco's timed access-list (Part2)

Well, in Part1 we saw how easy was to create a timed access-list. Now, lets say you want to apply that access-list today but your company's policy for the web browsing start January 1st, 2008.

I'm sure you will not plan on receiving the new year at your office. So lets resolve this issue.

!
time-range ActivateNewPolicy
absolute start 0:00 1 Jan 2008
!

We had this:

!
ip access-list extended ControlWeb
10 permit tcp any any eq www time-range WebTime
20 deny tcp any any eq www ! This will be matched if WebTime is not in range
30 permit ip any any ! Permit anything else
!




The only statement that we need to modify is "20" since that is the one blocking the traffic when "WebTime" is not valid. So we modify the access-list as follows:

!
ip access-list extended ControlWeb
10 permit tcp any any eq www time-range WebTime
20 deny tcp any any eq www time-range ActivateNewPolicy
30 permit ip any any ! Permit anything else
!


Thats it. Simple ah?

What will be happening is that the WebTime will be either in range or not. So statement 10 will be ignored when outside of range. So, the next statement to be evaluated will be "20". But if we add a time-range to this statement, it will only be valid during its range. In this case, it is an "absolute" range. Meaning, it will start from that date/time and on.

So, there it is. Now you can stay at home during New Year's Eve while the guys doing the nocturnal backups get kicked out of the Internet.

No comments:

Post a Comment