Skip to main content

Blocking based on Time of Day Access-Lists

I came across an interesting problem the other day where someone had a 15Gb usage cap on their ADSL during the day but unlimited usage from midnight to 8am. Someone who lived in their house was partial to downloading large files and they wanted to restrict them from doing this until they were in the unlimited usage period.

What was required was essentially a class map which matches based on both the time of day and the protocols in use. I could then drop traffic by applying a policy-map against an interface.

The first thing I did was to create a class-map which would match any of the peer to peer protocols like so....

class-map match-any Peer2Peer
match protocol bittorrent
match protocol edonkey
match protocol gnutella
match protocol kazaa2
match protocol fasttrack
match protocol winmx
match protocol directconnect

Next I created a time range called OFFPEAK. I made the time range between 08:00 and 23:59 which is the period where the restrictions apply.

time-range OFFPEAK
periodic daily 8:00 to 23:59

Now we need an access-list in order to apply my time-range against. This will simply match any traffic from my LAN range destined to any other IP but is within the hours of 08:00 and 23:59

ip access-list extended P2P_TOD
remark Used to apply Time of Day to P2P traffic
permit ip 192.168.3.0 0.0.0.255 any time-range OFFPEAK

We can then create a class-map which looks for traffic which is both a P2P protocol and is seen between the hours of 8am and midnight

class-map match-all Peer2Peer_TOD
match class-map Peer2Peer
match access-group name P2P_TOD

Lastly we can simply create a policy-map (preferably on the interface closest to the offending user to save the traffic crossing the router) which drops the packets like so...

policy-map Drop_P2P
class Peer2Peer_TOD
drop

Simple huh! There are plenty of other uses of the configuration above. What about rate limiting certain types of traffic during work hours whilst unrestricting them at lunch or afterhours. The possibilities are endless...enjoy!

Comments

Post a Comment

Popular posts from this blog

Error Message %DUAL-6-NBRINFO: EIGRP-IPv4 34256

If you see the error  %DUAL-6-NBRINFO: EIGRP-IPv4 xxxx  is blocked: not on common subnet then it simply means that there are EIGRP devices sending multicast hellos on an interface which have a different IP Range configured to the receiving router.  160617: .Feb 22 15:11:05.194 GMT: %DUAL-6-NBRINFO: EIGRP-IPv4 34256: Neighbor 17 2.31.253.1 (Vlan43) is blocked: not on common subnet                                                     (172.31.252.1/31) 160618: .Feb 22 15:11:12.770 GMT: %DUAL-6-NBRINFO: EIGRP-IPv4 34256: Neighbor 19 2.168.205.0 (Vlan44) is blocked: not on common subnet (192.168.204.1/31)                                                                                          This is most likely to occur by accident when two subnets are configured on the same VLAN, with EIGRP running on the interface.
Post a Comment
Read more

Moving the SSH port on a CISCO router

If you admin your routers over the internet you probably know you should be using SSH. Telnet being sent in clear text is easily sniffed and your passwords captured. However Cisco routers use the standard TCP port 22 for their SSH service. As soon as you open this up to the world and turn on SSH access logging you will start to see hundreds of IP's connecting to your device and running dictionary attacks against you using standard username and password combinations. The majority of these IP's seem to originate from China or Russia and they find your open port extremely quickly. This is very anoying it fills up your log files with these attacks and uses up your system resources dealing with them. I believe they are simply running scans for any open TCP port 22. For this reason I decided I could cut down the amount of attacks by moving the SSH port to a different number. One thing you should know before we start is that there is no way to actually change the SSH port number o
Post a Comment
Read more

Shutting Cisco 3750 Stackwise ports

Today I came across a customers 3750 switch stack which had a flapping stackwise link. The stackwise link was transitioning up/down around 3 times a second and causing massive issues with connectivity and EIGRP routing for the site. Previously I believed that I would need to physically remove the Stackwise cable in order to restore service by shutting the flapping link. It seems it is possible to shut the Stackwise port from the CLI although it is done from enable mode rather than Configure terminal. The command is.. Switch#switch 1 stack port 1 ? disable Disable stack port enable Enable stack port The first number 1 would indicate the switch number in the stack and the second number 1 after the port is the Stackwise port number you want to shut. Make a note of which switch and port you shut as it will not show up in the config or the show outputs which could prove tricky when you want to reenable it.. You can determine the status of the ports using the command below but not how
Post a Comment
Read more