Timed internet access on 2811???

Unanswered Question
Sep 16th, 2009
User Badges:

Hi,


I have a 2811 router running C2800NM-ADVENTERPRISEK9-M, Version 12.4(24)T1.


I want to find out if its possible to configure timed internet access on the router either using CLI or SDM, or if I need to get an add-on software or hardware to the router?


Regards,


Femi

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Wed, 09/16/2009 - 03:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Femi


Yes, you can use a time based acl -


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#timebasedtimerange


Be aware though that with timed acl's once the end time has been passed any existing connections are still allowed. Only new connections are denied.


If you want to immediately cut off all connections when the time is up you would need to use EEM or a script to connect to the router and clear all the existing connections.


Jon

femi.agboade Wed, 09/16/2009 - 03:34
User Badges:

Hi Jon,


Thanks for the response. My initial problem with ACL was that I had to be searching for all possible IP addresses for specific websites, which was near impossible to get them all.


I will try thri out and let you know how it goes.


However, what is EEM and could you give me an idea of a script that you are referring to?


Access is supposed to be blocked to specific websites and not the whole internet actually.


Regards,


Femi

Jon Marshall Wed, 09/16/2009 - 03:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Femi


EEM is the Embedded Event Manager which allows you to add your own bits of "code" to the router to enhance it's functionality. Funnily enough you are in the right forum here because the expert on EEM is Joe Clarke who hangs out in this forum. EEM uses TCL as a script language.


As for the script. Well before EEM and still now in fact you can write scripts in Perl/TCL etc. that can login to routers/switches and execute a series of commands. With TCL you use Expect. With Perl there is an Expect module and also a Net::Telnet::Cisco module written specifically to connect to Cisco routers/switches. You could then run this script from a windows or unix box using cron for example. Unix usually works a lot better !!


If you are looking to block access to specific websites based on their URLs and the time etc. you may want to look at more specific solutions such as Websense which is geared towards this sort of thing.


Jon

femi.agboade Wed, 09/16/2009 - 04:23
User Badges:

Hi Jon,


So I guess EEM would be like an add on. I tried reading up on it, but didn't quite get much from it.


I have visited the WebSense website and requested a quote. It seems to me like a 'proxy' service, which implies I would have to route internet traffic through the server that this app will sit on. I was initially avoiding this option but I guess it may be the way out...Considering its got a GUI, it should make it easier to manage as opposed to the script writing...


Regards,


Femi



Joe Clarke Thu, 09/24/2009 - 17:25
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

EEM is not an add-on. It's already built into IOS. Your version of code supports EEM 3.0, so you have a lot of power in what you can do. In fact, Tcl won't even be required. If you wanted to be brutish about it, you could have two EEM policies that take down the Internet interface and bring it back up at specified times.


For example, say your Internet interface is Serial0/0. The following two EEM applets will shut this interface down at 18:30 (6:30 pm), and bring it back up at 07:30 (7:30 am):


event manager environment interface_intf Serial0/0


event manager applet shutdown-internet

event timer cron cron-entry "30 18 * * *"

action 1.0 cli command "enable"

action 2.0 cli command "config t"

action 3.0 cli command "interface $internet_intf"

action 4.0 cli command "shut"

action 5.0 cli command "end"

action 6.0 syslog msg "Interface $internet_intf shutdown"


event manager applet restore-internet

event timer cron cron-entry "30 7 * * *"

action 1.0 cli command "enable"

action 2.0 cli command "config t"

action 3.0 cli command "interface $internet_intf"

action 4.0 cli command "no shut"

action 5.0 cli command "end"

action 6.0 syslog msg "Internet connection restored"

Actions

This Discussion