Time-Based ACLs - Scenario 1:

Let’s say you had the following requirement:

“Uses should only be allowed to access the Web Server located at the IP address of 192.168.1.254 during work hours. After work, users should not have access to this web server. All other traffic should be allowed.”

Seems simple enough. We will define work hours as Monday to Friday 9:00am to 5:00pm (you wish!). Most people when given this problem respond with this (or something similar):

time-range WORK-HOURS
 periodic weekdays 9:00 to 17:00
!
ip access-list extend DENY-WEB
 permit tcp any host 192.168.1.254 eq www time-range WORK-HOURS
 permit ip any any
 

We have defined a time-range called WORK-HOURS. WORK-HOURS is defined as including all times between 9am to 5pm Monday to Friday. Cool. Exactly what we want. We have then defined an access-list called DENY-WEB that matches tcp traffic destined to the host during the time-range WORK-HOURS. Everything else is permitted.

At first glance this looks fine, but it will not work.

Let’s examine why this will not work. Lets pretend it is Monday morning at 10am. The user hops on and points his browser to http://192.168.1.254. The first rule of the access list will be matched and then access is granted. Cool. This is the behaviour we want.

Now let’s pretend it is Monday night at 6pm. The same user hops on and points his browser to http://192.168.1.254. The first line of the access list will not be matched because it is not during the WORK-HOURS time range. All the conditions on the access-list line must be matched, so we go to the next rule defined in the access-list. We will match this rule (permit ip any any) and the traffic will also be allowed. This is obviously not what we want!

Solution:

time-range WORK-HOURS
 periodic weekdays 9:00 to 17:00
!
ip access-list extend DENY-WEB
 permit tcp any host 192.168.1.254 eq www time-range WORK-HOURS
 deny tcp any host 192.168.1.254 eq www
 permit ip any any
 

Much better. Now when the first rule is not matched, we will allow everything except for traffic destined for the web server.

Time-Based ACLs - Scenario 2:

Let’s say we have a new requirement:

During work hours users must be able to access web sites only through a proxy server located at 192.168.1.254. The proxy server is listening on tcp port 3128. After work hours users should be granted full access to any IP address and any website. During work hours the only thing they should be able to access is the proxy server. Do not create two time-ranges for this.

Hmmm. Lets try this:

time-range WORK-HOURS
periodic weekdays 9:00 to 17:00
!
ip access-list extend DENY-WEB
 permit tcp any host 192.168.1.254 eq 3128 time-range WORK-HOURS
 permit ip any any

This is what most people that I presented this problem too responded with. This is incorrect. Lets have a look at a few use-cases to determine why. Lets pretend its Monday at 10am. The user tries to browse to cisco.com directly instead of going through a proxy server. The first rule of access list will not be matched. The time range is matched, but the destination address will be cisco.com not the address of the proxy server. The next rule will then be matched (permit ip any any). This will allow access to cisco.com during work hours without going through the proxy server which is not what we want.

We could try:

time-range NON-WORK-HOURS
 periodic weekend 0:00 to 23:59
 periodic weekdays 0:00 to 8:59
 periodic weekdays 17:01 to 23:59
!
time-range WORK-HOURS
periodic weekdays 9:00 to 17:00
!
ip access-list extend DENY-WEB
 permit tcp any host 192.168.1.254 eq 3128 time-range WORK-HOURS
 permit ip any any time-range NON-WORK-HOURS

This will work. On Monday at 9:30am, a user tries to access cisco.com directly instead of going through a proxy server. As per the requirement, this shouldn’t be allowed. The first rule of the access-list will not be matched. The time range is matched, but the destination address will be cisco.com not the address of the proxy server.

The second rule will also not be matched as it does not match the time-range NON-WORK-HOURS (ie. its during work time). The packet will be dropped which is exactly what we want to happen. Unfortunately, this will not meet the requirement of “Do not create two time-ranges for this”. DAMN! So how do we do this?

Solution:

time-range NON-WORK-HOURS
 periodic weekend 0:00 to 23:59
 periodic weekdays 0:00 to 8:59
 periodic weekdays 17:01 to 23:59
!
ip access-list extend DENY_WEB
 permit ip any any time-range NON-WORK-HOURS
 permit tcp any host 192.168.1.254 eq 3128

We have an access list that matches IP traffic only for the time-range NON-WORK-HOURS. During work hours we can only access the proxy server at 192.168.1.254 on tcp port 3128 Everything else will be blocked. Awesome, just what we wanted!

HTH! :)

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

I eventually found this by Petr Lapukhov CCIE#16379 on the Internetwork Expert CCIE Forums:

1) Cisco runs IEEE STP over non-trunking links, i.e. access-ports.
IEEE STP utilizes 802.3 LLC ethernet frame format and multicast
address 0180.c200.0000 BPDU frames have LSAP values of 0×42 for
SSAP/DSAP

Now the lesson is that you should watch for 802.1q with Cisco With
ISL things run smoothly, you have IEEE STP frames on every VLAN. With
802.1q you got that horrible mix

So, putting all that together I came up with this:

mac access-list extended IP
 permit any any 0x800 0x0

mac access-list extended IPV6
 permit any any 0x86DD 0x0

mac access-list extended IP_ARP
 permit any any 0x806 0x0

mac access-list extended PVST+
 permit any any lsap 0xAAAA 0x0
!
! PVST+ uses LLC SNAP encapsulation LSAP equal 0xAAAA.
! In this case need to we see more deeply OUI/Type part SNAP header.
! But i don't know how it can be matched in Cisco IOS.

mac access-list extended IEEE_STP
 permit any any lsap 0x4242 0x0

mac access-list extended ISL_PVST
 permit any any lsap 0x4242 0x0
!
! ie. sames as IEEE_STP!

You can use this vlan access-maps in conjunction with these mac access-lists to allow or deny only certain traffic through a vlan.

For example to allow IP and ARP only in vlan 10:

!
! Be careful we are technically blocking Spanning-tree BPDU's, so this might cause loops!
!
ip access-list extended IP
 permit ip any any
!
mac access-list extended IP_ARP
 permit any any 0x806 0x0
!
vlan access-map IP_AND_ARP_ONLY 10
 action forward
 match ip address IP
!
vlan access-map IP_AND_ARP_ONLY 20
 action forward
 match mac address IP_ARP
!
vlan access-map IP_AND_ARP_ONLY 30
 action drop
!
vlan filter IP_AND_ARP_ONLY vlan-list 10

In the example above we are using an ip access-list to match ip traffic. I originally thought that we could have also used a mac access-list to do this, but an astute reader (See comments below…thanks Sharath!) pointed out this is not possible. I hope this helps. Now back to labs! :)

Resources:

• The Ethertypes can be found here on Cisco Doc CD (Cisco IOS Bridging and IBM Networking Command Reference -> Appendix).
• Sniffing For Cisco Specific Protocols
• How to permit ARP traffic between only two hosts - CCIE-IN-3-MONTHS

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

One solution to this problem is the use of Cisco’s Network Based Application Recognition (NBAR). NBAR is a deep packet inspection and classification engine. It was first introduced in experimental versions of IOS v12.1 and can be used with Cisco’s Modular Quality Of Service Command Line (MQC).

In this article we will look at using MQC to filter websites. I will demonstrate using the match protocol http command to match a URL, a host or MIME type. We will use the following topology for demonstration:

R3 will act as a webserver and R1 as a client. The filtering will be applied on R2. You can download the dynamips .net file the following topology here.
R1 Base Configuration:

hostname R1
!
int s1/0
 ip add 10.0.12.1 255.255.255.0
 no shut
!
router ospf 1
 network 10.0.12.1 0.0.0.0 area 0

R2 Base Configuration:

hostname R2
!
int s1/0
 ip add 10.0.12.2 255.255.255.0
 no shut
!
int s1/1
 ip add 10.0.23.2 255.255.255.0
 no shut
!
router ospf 1
 network 10.0.12.2 0.0.0.0 area 0
 network 10.0.23.2 0.0.0.0 area 0

R3 Base Configuration:

hostname R3
!
int s1/0
 ip add 10.0.23.3 255.255.255.0
 no shut
!
int f0/0
 ip add 192.168.1.100 255.255.255.0
 no shut
!
router ospf 1
 network 10.0.23.3 0.0.0.0 area 0
!
ip http server
ip http path flash:

We have set up R3 as a webserver. Details on how to setup R3 as a webserver using IOS can be found here.

R3#sh run | in ip http
ip http server
no ip http secure-server
ip http path flash:

R3#dir
Directory of flash:/

    1  -rw-          90                    <no>  picture.gif
    2  -rw-         329                    <no>  picture.jpg
    3  -rw-         174                    <no>  index.html

8388604 bytes total (8387812 bytes free)
</no></no></no>

Basic HTTP Filtering using NBAR

Lets set up basic http filtering with MQC on R2.

R2(config)#class-map match-all MATCH-HTTP
R2(config-cmap)#match protocol http
R2(config-cmap)#exit
R2(config)#policy-map HTTP-POLICY
R2(config-pmap)#class MATCH-HTTP
R2(config-pmap-c)#set dscp af13
R2(config-pmap-c)#exit
R2(config-pmap)#int s1/0
R2(config-if)#service-policy input HTTP-POLICY

In the code above we have a class map called MATCH-HTTP. The match protocol http command tells NBAR to match the http protocol. This will match all http traffic. The MATCH-HTTP class is then utilized in the HTTP-POLICY policy map. This policy map is used to set a DSCP marking on all traffic that matches the MATCH-HTTP class (ie all http traffic). The policy is then implemented on R2’s s1/0. Traffic is inspected and marked as it comes into that interface.

We can check how many packets have been marked using the show policy-map command.

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      2 packets, 168 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
R2#

Lets generate some http traffic, and see if our policy marks some packets.

R1#copy http://10.0.23.3/index.html null:
Loading http://10.0.23.3/index.html
174 bytes copied in 0.544 secs (320 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      5 packets, 344 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http
      QoS Set
        dscp af13
          Packets marked 5

    Class-map: class-default (match-any)
      124 packets, 10340 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

We used the copy http://10.0.23.3/index.html null: command to generate some http traffic. We can see above that 5 packets were generated and were marked as af13. All other traffic will fall into the class-default class. With the packets marked, we could forward them or drop them.

Instead of matching all of the http protocol we can use NBAR to look further into the packet and classify or drop packets based on the host requested.

Match protocol HTTP host

The match protocol HTTP url command is used to match a url. It takes a regular expression as an argument. For example:

match protocol http host *youtube.com*
! This would match anything in youtube.com like http://www.youtube.com or http://video.youtube.com
!
match protocol http host *google*
! This would match anything with google in the host like http://mail.google.com or
http://www.google.com.au
!
match protocol http host google*
! This would match http://google.com but not http://video.google.com

Lets set up R2 to filter based on a host.

R2(config)#class-map MATCH-HTTP
R2(config-cmap)#no match protocol http
R2(config-cmap)#match protocol http host 10.0.23.3

R2#clear counters s1/0
Clear "show interface" counters on this interface [confirm]
*Mar  1 00:04:42.071: %CLEAR-5-COUNTERS: Clear counter on interface Serial1/0 by console
R2#
R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http host "10.0.23.3"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      1 packets, 84 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

We’ve cleared the counters on R2, so lets generate some traffic on R1 again.

R1#copy http://10.0.23.3/index.html null:
Loading http://10.0.23.3/index.html
174 bytes copied in 0.596 secs (292 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      5 packets, 344 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http host "10.0.23.3"
      QoS Set
        dscp af13
          Packets marked 5

    Class-map: class-default (match-any)
      64 packets, 5300 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

We can see here it matched 5 packets based on the host. We can use this to match whole sites like youtube.com or video.google.com.

Match protocol HTTP url

We can match strings AFTER the host portion of a URL using the match protocol http url command. It also takes a regular expression as an argument. For example:

match protocol http url *video*
! This would match http://www.cisco.com/video/index.php or
http://www.google.com/stuff/video.html
!
match protocol http url video*
! This would match http://www.cisco.com/video but not http://www.cisco.com/stuff/video.html
! because stuff precedes the video portion of the url and in the expression above we have said
! it has to start with the string video
!
match protocol http url *.jpeg|*.jpg|*.gif
! This would match any .jpeg or .jpg or .gif extention in the url

Lets set up R2 to match based on a URL.

R2(config)#class-map MATCH-HTTP
R2(config-cmap)#no match protocol http host 10.0.23.3
R2(config-cmap)#match protocol http url *.jpg

As you can see above we have used the match protocol http url function of NBAR to match any url that ends in a .jpg. This effectively blocks jpeg images (unless they have a different extension).

Let test it, before we send some traffic we’ll reset the counters on the interface.

R2#clear counters s1/0
Clear "show interface" counters on this interface [confirm]
*Mar  1 00:43:39.135: %CLEAR-5-COUNTERS: Clear counter on interface Serial1/0 by console
R2#
R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.jpg"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      1 packets, 84 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

If we request a gif file we shouldn’t match the class MATCH-HTTP. Lets test that first.

R1#copy http://10.0.23.3/picture.gif null:
Loading http://10.0.23.3/picture.gif
90 bytes copied in 0.644 secs (140 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.jpg"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      18 packets, 1209 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Great Success! Looks pretty good. Now lets try a .jpg extension. We should match this.

R1#copy http://10.0.23.3/picture.jpg null:
Loading http://10.0.23.3/picture.jpg
329 bytes copied in 0.820 secs (401 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      7 packets, 433 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.jpg"
      QoS Set
        dscp af13
          Packets marked 7

    Class-map: class-default (match-any)
      22 packets, 1469 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

Awesome! You can see above we matched based on a URL.

match protocol http mime

We can also use the match protocol http mime to match internet mime types. The mime type has to be the same mime type that the web server responds with. For a list of valid mime types check out: http://www.sfsu.edu/training/mimetype.htm. Lets look at an example:

match protocol http mime image/jpeg
! This would match jpeg,jpg,jpe,jfif,pjpeg, and pjp types
!
match protocol http mime image/jpg
! This would not match anything as it is not a proper mime type. Get a list of the mime types
! here: http://www.sfsu.edu/training/mimetype.htm
!
match protocol http mime image*
! This would match all image mime types
!
match protocol http mime application/x-shockwave-flash
! This would not only match swf flash movies, but all of flash.

Lets set up R2 to filter the image/jpeg mime type:

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#class-map MATCH-HTTP
R2(config-cmap)#no match protocol http url *.jpg
R2(config-cmap)#match protocol http mime ?
  WORD  Enter a string as the sub-protocol parameter

R2(config-cmap)#match protocol http mime image/jpeg
R2(config-cmap)#exit
R2(config)#exit

Once again, we’ll clear the counters so we can verify that this works correctly.

R2#clear counters s1/0
Clear "show interface" counters on this interface [confirm]
*Mar  1 01:12:10.759: %CLEAR-5-COUNTERS: Clear counter on interface Serial1/0 

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http mime "image/jpeg"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      1 packets, 84 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

On R1 lets generate some traffic. A gif file will be requested first. This should not match our policy.

R1#copy http://10.0.23.3/picture.gif null:
Loading http://10.0.23.3/picture.gif
90 bytes copied in 0.808 secs (111 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      0 packets, 0 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http mime "image/jpeg"
      QoS Set
        dscp af13
          Packets marked 0

    Class-map: class-default (match-any)
      10 packets, 689 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

All good! Ok lets do the final test and actually request a jpeg image and see if it matches our policy.

R1#copy http://10.0.23.3/picture.jpg null:
Loading http://10.0.23.3/picture.jpg
329 bytes copied in 1.216 secs (271 bytes/sec)

R2#sh policy-map int s1/0
 Serial1/0 

  Service-policy input: HTTP-POLICY

    Class-map: MATCH-HTTP (match-all)
      5 packets, 220 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http mime "image/jpeg"
      QoS Set
        dscp af13
          Packets marked 5

    Class-map: class-default (match-any)
      16 packets, 1162 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any

You can see above that the jpeg image was matched. It works!

Putting it all together

So lets put it all together. We can use all three match protocol http commands in a match-any class map. For example:

class-map match-any INTERNET-SCUM
 match protocol http host *youtube.com*|*video.google.com*
 match protocol http mime video/flv|video/x-flv|video/mp4|video/x-m4v|audio/mp4a-latm
 match protocol http mime video/3gpp|video/quicktime
 match protocol http url *.flv|*.mp4|*.m4v|*.m4a|*.3gp|*.mov
! uncomment below if you don't want ANY flash.
! match protocol http mime application/x-shockwave-flash
! match protocol http url *.swf
!
policy-map NOINTERNETVIDEO
 class INTERNET-SCUM
  drop
!
int s1/0
 service-policy input NOINTERNETVIDEO
!

This would match any traffic going to youtube or video.google.com, or any flash applications, or common video mime types, and any swf (flash or flash movie) files! Be aware that NBAR does make your router take a hit in CPU processor usage, I’d suggest evaluating your processor usage before using this in production.

HTH! Now back to labs!

Summary:

• Use the match http protocol command to match the http protocol.
• match protocol http host matches the host portion
• match protocol http url matches the url after the hostname
• match protocol http mime matches mime types

Resources
Webserver - Dynamips .net configuration file
QOS HTTP Filtering - R1 Final Configuration
QOS HTTP Filtering - R2 Final Configuration
QOS HTTP Filtering - R3 Final Configuration

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer

Anyway, the problem was this: assume you are trying to prohibit DHCP within a given VLAN.

We could configure it with:

access-list 101 permit udp any eq bootpc any eq bootps
vlan access-map test1 10
 action drop
 match ip address 101
vlan access-map test1 20
 action forward
vlan filter test1 vlan-list 11

This will work by first dropping what we don’t want and permitting everything else. But if we reverse the logic (ie permit IP traffic, then deny the bootp) with:

access-list 102 deny   udp any eq bootpc any eq bootps
access-list 102 permit ip any any
vlan access-map test2 10
 action forward
 match ip address 102
vlan access-map test2 20
 action drop
vlan filter test2 vlan-list 12

This will not work. Why? It seems logical. But what about ARP? Arp traffic will be matched by the second part of the vlan access-map (ethertype 0×806), so unless we have some static arp statements or they have been cached, we are in trouble.

Great example of vlan-access map logic.

Read this article and more like it on ardenpackeer.com
Follow me on twitter: http://twitter.com/ardenpackeer