Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2409
Views
5
Helpful
18
Replies

Time based access list not working

Go to solution
Elango Murugan
Level 1
Level 1

‎08-25-2011 10:10 AM - edited ‎03-04-2019 01:24 PM

I want to block all the traffice  after bussiness hours 5:00pm to 8:00am and weekends.

Here is my config on my switch

time-range no-connection

period weekdays 17:00 to 23:59

period weekdays 1:00 to 8:00

period weekends 1:00 to 23.59

ip access-list extended deny

deny ip any any time-range no-connection

deny icmp any any time-range no-connection

deny tcp any any time-range no-connection

deny udp any any time-range no-connection

interface gi0/1

ip access-group deny in

when i test the connection it's blocking all the  time not after 5:00PM

Please advice

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Elango Murugan

‎08-25-2011 11:51 AM

Elango,

Yes, I am afraid so. What is your exact switch type and IOS version?

Best regards,

Peter

View solution in original post

0 Helpful
18 Replies 18

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎08-25-2011 10:17 AM

Elango,

You have explicitly denied the traffic in unwanted times but forgot to enable it outside those time windows. Recal that there is an implicit deny ip any any at the end of each ACL. What is not permitted explicitly, will be denied. Thus, your ACL is currently "deny all the time".

The correction should be fairly easy, the ACL can be as simple as:

ip access-list extended deny
 deny ip any any time-range no-connection
 permit ip any any

The logic is: if the time is in the time-range "no-connection", the first rule will match all IP traffic, and it will be denied. Outside that time-range, the first rule will not match, so the router will proceed to the second rule that will match and permit  the traffic.

You do not need to specifically enumerate TCP, UDP, ICMP, etc. - the "ip" stands for all IP traffic.

Best regards,

Peter

0 Helpful

Go to solution
Elango Murugan
Level 1
Level 1
In response to Peter Paluch

‎08-25-2011 11:08 AM

You right peter after  apply the command now i am able  to access all, but  blocking not working now

112623-log .txt.zip
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Elango Murugan

‎08-25-2011 11:10 AM

It will only block during the time range. So have you tested it outside of the time range ie. it should allow traffic and within the time range when it should deby traffic ?

Jon

0 Helpful

Go to solution
Elango Murugan
Level 1
Level 1
In response to Jon Marshall

‎08-25-2011 11:16 AM

yes i tested the time range as per my config it should not allow the traffice between 11:00 to 11:30  right  but i am able to.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Elango Murugan

‎08-25-2011 11:21 AM

Do you mean the config in your attached file ? - sorry i thought you meant the original post you made.

Be aware with time based acls that once the time range is in effect it only applies to new connections. Any existing connections are not cut-off.

Jon

0 Helpful

Go to solution
Elango Murugan
Level 1
Level 1
In response to Jon Marshall

‎08-25-2011 11:42 AM

thanks Jon  i shut the interface and unshut ,reload the switch ,iprelease and renew still i am able to access .Please adivce i missing any think.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Elango Murugan

‎08-25-2011 11:26 AM

Hi,

is it applied in the right direction and right interface ? because the access-list shows no hits.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to cadet alain

‎08-25-2011 11:33 AM

Elango, Jon, Alain,

According to the log.txt Elango provided, he is trying to configure the time-based ACL on a switch, not on a router... and on switches, time-based ACLs are generally not supported. I am afraid there is no clever workaround available in this situation.

Jon, you have stated that time-based ACLs work only for new connections and do not influence existing ones. How can that be? An ACL like this does not understand "connections" - it simply drops individual packets, and even if they belong to a connection established before, once a deny ACE starts matching them, they should be dropped. Or am I missing something here?

Best regards,

Peter

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Peter Paluch

‎08-25-2011 11:38 AM

Peter

No your'e not missing anything. Perhaps i am thinking of time based ranges on firewalls or with a router running CBAC. I do remember having this very issue with time based acls but obviously you are right, standard/extended acls have no concept of state.

To be honest i'm not exactly sure what i was thinking

Jon

0 Helpful

Go to solution
Elango Murugan
Level 1
Level 1
In response to Jon Marshall

‎08-25-2011 11:46 AM

Peter Time base ACL won't work on switch ?

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Elango Murugan

‎08-25-2011 11:51 AM

Elango,

Yes, I am afraid so. What is your exact switch type and IOS version?

Best regards,

Peter

0 Helpful

Go to solution
Elango Murugan
Level 1
Level 1
In response to Peter Paluch

‎08-25-2011 12:13 PM

Here you go peter ..

112624-switch type.txt.zip
0 Helpful

Go to solution
Elango Murugan
Level 1
Level 1
In response to Elango Murugan

‎08-25-2011 12:11 PM

As per document all IOS Plate from will work .Please Advice

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Elango Murugan

‎08-25-2011 12:13 PM

What document ? We are not mind readers

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card