cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2408
Views
5
Helpful
18
Replies

Time based access list not working

Elango Murugan
Level 1
Level 1

I want to block all the traffice  after bussiness hours 5:00pm to 8:00am and weekends.

Here is my config on my switch

time-range no-connection

period weekdays 17:00 to 23:59

period weekdays 1:00 to 8:00

period weekends 1:00 to 23.59

ip access-list extended deny

deny ip any any time-range no-connection

deny icmp any any time-range no-connection

deny tcp any any time-range no-connection

deny udp any any time-range no-connection

interface gi0/1

ip access-group deny in

when i test the connection it's blocking all the  time not after 5:00PM

Please advice

thanks

1 Accepted Solution

Accepted Solutions

Elango,

Yes, I am afraid so. What is your exact switch type and IOS version?

Best regards,

Peter

View solution in original post

18 Replies 18

Peter Paluch
Cisco Employee
Cisco Employee

Elango,

You have explicitly denied the traffic in unwanted times but forgot to enable it outside those time windows. Recal that there is an implicit deny ip any any at the end of each ACL. What is not permitted explicitly, will be denied. Thus, your ACL is currently "deny all the time".

The correction should be fairly easy, the ACL can be as simple as:

ip access-list extended deny

deny ip any any time-range no-connection

permit ip any any

The logic is: if the time is in the time-range "no-connection", the first rule will match all IP traffic, and it will be denied. Outside that time-range, the first rule will not match, so the router will proceed to the second rule that will match and permit  the traffic.

You do not need to specifically enumerate TCP, UDP, ICMP, etc. - the "ip" stands for all IP traffic.

Best regards,

Peter

You right peter after  apply the command now i am able  to access all, but  blocking not working now

It will only block during the time range. So have you tested it outside of the time range ie. it should allow traffic and within the time range when it should deby traffic ?

Jon

yes i tested the time range as per my config it should not allow the traffice between 11:00 to 11:30  right  but i am able to.

Do you mean the config in your attached file ? - sorry i thought you meant the original post you made.

Be aware with time based acls that once the time range is in effect it only applies to new connections. Any existing connections are not cut-off.

Jon

thanks Jon  i shut the interface and unshut ,reload the switch ,iprelease and renew still i am able to access .Please adivce i missing any think.

Hi,

is it applied in the right direction and right interface ? because the access-list shows no hits.

Regards.

Alain.

Don't forget to rate helpful posts.

Elango, Jon, Alain,

According to the log.txt Elango provided, he is trying to configure the time-based ACL on a switch, not on a router... and on switches, time-based ACLs are generally not supported. I am afraid there is no clever workaround available in this situation.

Jon, you have stated that time-based ACLs work only for new connections and do not influence existing ones. How can that be? An ACL like this does not understand "connections" - it simply drops individual packets, and even if they belong to a connection established before, once a deny ACE starts matching them, they should be dropped. Or am I missing something here?

Best regards,

Peter

Peter

No your'e not missing anything. Perhaps i am thinking of time based ranges on firewalls or with a router running CBAC. I do remember having this very issue with time based acls but obviously you are right, standard/extended acls have no concept of state.

To be honest i'm not exactly sure what i was thinking

Jon

Peter Time base ACL won't work on switch ?

Elango,

Yes, I am afraid so. What is your exact switch type and IOS version?

Best regards,

Peter

Here you go peter ..

As per document all IOS Plate from will work .Please Advice

What document ? We are not mind readers

Review Cisco Networking for a $25 gift card