Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
887
Views
0
Helpful
4
Replies

Creating a time-based ACL

Go to solution
saqibmoghul1
Level 1
Level 1

‎09-23-2013 04:37 AM - edited ‎03-04-2019 09:07 PM

Hi all,

I need to create a time-based ACL. I have been told that I just need to create the time-range and delete the existing access-list 199.

The rest of the config is already there as a nested policy map, so you will not need to apply anything to the interface.

Here is the policy map and class map:

class-map match-any MANCAM

match access-group 199

policy-map WAN-OUT

class MANCAM

  police cir 256000

interface Serial0/0/0:1.1 point-to-point

service-policy output WAN-OUT


Can someone help?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎09-23-2013 07:52 AM

A time range needs to be created an applied:

time-range MANCAM
periodic weekdays 08:00 to 17:00

ip access-list ext 199
no
permit tcp any any eq 80 time-range MANCAM
deny tcp any any eq 80

When the time range is in effect, Monday - Friday from 8 - 5PM, traffic to a web server will be allowed. If the time is outside of this range, the acl entry is bypassed and hits the second line to deny traffic to the web server. The same concept applies for policy maps as well. If the traffic is within the time range, the traffic is policed/shaped/dropped (whatever your policy does), and if it's outside of the range then it's would end up matching class default (or another class if you wanted ).

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to saqibmoghul1

‎09-23-2013 08:00 AM

If you have an existing acl you'll want to remove it before adding this one. Remember to add it in the correct sequence in your acl though.

Sent from Cisco Technical Support iPhone App

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
4 Replies 4

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎09-23-2013 07:52 AM

A time range needs to be created an applied:

time-range MANCAM
periodic weekdays 08:00 to 17:00

ip access-list ext 199
no
permit tcp any any eq 80 time-range MANCAM
deny tcp any any eq 80

When the time range is in effect, Monday - Friday from 8 - 5PM, traffic to a web server will be allowed. If the time is outside of this range, the acl entry is bypassed and hits the second line to deny traffic to the web server. The same concept applies for policy maps as well. If the traffic is within the time range, the traffic is policed/shaped/dropped (whatever your policy does), and if it's outside of the range then it's would end up matching class default (or another class if you wanted ).

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
saqibmoghul1
Level 1
Level 1
In response to John Blakley

‎09-23-2013 07:57 AM

Ah ok. Thank you so much for assisting.

What is the 'no' line for ?

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to saqibmoghul1

‎09-23-2013 08:00 AM

If you have an existing acl you'll want to remove it before adding this one. Remember to add it in the correct sequence in your acl though.

Sent from Cisco Technical Support iPhone App

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
saqibmoghul1
Level 1
Level 1
In response to John Blakley

‎09-23-2013 08:05 AM

Ah yes. Excellent.
Will do.

Thank you so much John. I get it now!

0 Helpful
Customers Also Viewed These Support Documents