Downloads |
Table Of Contents
Distributed Time-Based Access Lists
Verifying Distributed Time-Based Access Lists
Monitoring and Maintaining Distributed Time-Based Access Lists
Distributed Time-Based Access Lists
First Published: 12.2(2)TLast Updated: February 28, 2006History for the Distributed Time-Based Access Lists Feature
12.2(2)T
This feature was introduced.
12.2(28)SB
This feature was integrated into Cisco IOS Release 12.2(28)SB.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
Feature Overview
Cisco IOS allows implementation of access lists based on the time of day. To do so, you create a time range that defines specific times of the day and week. The time range is identified by a name and then referenced by a function, so that those time restrictions are imposed on the function itself.
Currently, IP and IPX named or numbered extended access lists are the only functions that can use time ranges. The time range allows the network administrator to define when the permit or deny statements in the access list are in effect.
Before the introduction of the Distributed Time-Based Access Lists feature, time-based access lists were not supported on line cards for the Cisco 7500 series routers. If time-based access lists were configured, they behaved as normal access lists. If an interface on a line card was configured with time-based access lists, the packets switched into the interface were not distributed switched through the line card but forwarded to the Route Processor for processing.
The Distributed Time-Based Access Lists feature allows packets destined for an interface configured with time-based access lists to be distributed switched through the line card.
For this functionality to work, the software clock must remain synchronized between the Route Processor and the line card. This synchronization occurs through an exchange of interprocess communications (IPC) messages from the Route Processor to the line card. When a time range or a time-range entry is changed, added, or deleted, an IPC message is sent by the Route Processor to the line card.
Benefits
The Distributed Time-Based Access Lists feature gives network administrators more control over permitting or denying a user access to resources. Customers can now take advantage of the performance benefits of distributed switching and the flexibility given by time-based access lists.
Configuration Tasks
See the following sections for configuration tasks for the Distributed Time-Based Access Lists feature. Each task in the list is identified as either optional or required.
•
Defining a Time Range (required)
•
•
•
Defining a Time Range
Note
To define a time range, use the following commands beginning in global configuration mode.
Repeat these tasks if you have multiple items you want in effect at different times. For example, repeat the steps to include multiple permit or deny statements in an access list in effect at different times. For further details on the commands described, see the corresponding chapter in the Cisco IOS Configuration Fundamentals Command Reference, Release 12.2.
Referencing the Time Range
In order for a time range to be applied, you must reference it by name in a feature that can implement time ranges. To reference the time range, perform one of the following tasks:
•
•
Verifying Distributed Time-Based Access Lists
For the distributed time-based access list functionality to work, the software clock must remain synchronized between the Route Processor and the line card.
To verify that the time clocks remain synchronized and that IPC messages about time range statistics are being sent by the Route Processor to the line card, use the following command in EXEC mode:
Router# show time-range ipc
Displays the statistics about the time-range IPC messages between the Route Processor and line card.
Monitoring and Maintaining Distributed Time-Based Access Lists
To display information about the time-range IPC messages, use the following commands in EXEC mode, as needed:
Configuration Examples
The Distributed Time-Based Access Lists feature is enabled automatically when time ranges are configured on access lists. For an example of a time range applied to an access list, refer to the "Configuring IP Services" chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Additional References
The following sections provide references related to Distributed Time-Based Access Lists.
Related Documents
Cisco IOS configuration fundamentals
Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2
IP configuration tasks
Cisco IOS IP Configuration Guide, Release 12.2
Addressing and services
Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents the following modified commands only.
clear time-range ipc
To clear the time-range interprocess communications (IPC) message statistics and counters between the Route Processor and the line card, use the clear time-range ipc command in privileged EXEC mode.
clear time-range ipc
Syntax Description
This command has no argument or keywords.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
12.2(2)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Examples
The following example clears the time-range IPC statistics and counters:
Router# clear time-range ipcRelated Commands
debug time-range ipc
To enable debugging output for monitoring the time-range interprocess communications (IPC) messages between the Route Processor and the line card, use the debug time-range ipc command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug time-range ipc
no debug time-range ipc
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
12.2(2)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Examples
The following is sample output from the debug time-range ipc command. In the following example, the time ranges sent to the line card are monitored:
Router# debug time-range ipc00:14:19:TRANGE-IPC:Sent Time-range t1 ADD to all slots00:15:22:TRANGE-IPC:Sent Time-range t1 ADD to all slotsIn the following example, the time ranges deleted from the line card are monitored:
Router# debug time-range ipc00:15:42:TRANGE-IPC:Sent Time-range t1 DEL to all slots00:15:56:TRANGE-IPC:Sent Time-range t1 DEL to all slotsRelated Commands
show time-range ipc
Displays the statistics about the time-range IPC messages between the Route Processor and line card.
show time-range ipc
To display the statistics about the time-range interprocess communications (IPC) messages between the Route Processor and line card, use the show time-range ipc command in user EXEC or privileged EXEC mode.
show time-range ipc
Syntax Description
This command has no argument or keywords.
Defaults
No default behavior or values.
Command Modes
User EXEC
Privileged EXECCommand History
12.2(2)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
The debug time-range ipc EXEC command must be enabled for the show time-range ipc command to display the time-range IPC message statistics.
Examples
The following is sample output from the show time-range ipc command:
Router# show time-range ipcRP Time range Updates Sent :3RP Time range Deletes Sent :2Table 1 describes the significant fields shown in the display.
Related Commands
Glossary
IPC—interprocess communications. A system that lets threads and processes transfer data and messages among themselves; used to offer services to and receive services from other programs.
line card—Any I/O card that can be inserted in a modular chassis.
RP—Route Processor. Processor module in the Cisco 7000 series routers that contains the CPU, system software, and most of the memory components that are used in the router. Sometimes called a supervisory processor.
VIP—Versatile Interface Processor. Interface card used in Cisco 7000 and Cisco 7500 series routers. The VIP provides multilayer switching and runs Cisco IOS software.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2001, 2006 Cisco Systems, Inc. All rights reserved.
