ACL Hit Count Expiration

Mike Keenan · ‎07-18-2014

Is there a way to configure an ACL to automatically expire and delete itself after a set amount of time of not being hit. For example:

Say I configure a specific rule permiting a specific user using a static IP address to traverse Network A and hit an application on Server X located on Network B. Six months later I forget about said user and he or she moves to another department and no longer needs access with that IP address to that server. Is there a way to configure that rule to automatically drop off if the hit count remains at 0 for longer than X amount of days?

Thanks!

nkarthikeyan · ‎07-20-2014

You can have time based access-list if you want to have the access-list or rule created for a certain period... But i am not sure if we have option to get automatic delete of the un-used ACL by its own.... and i do not think so we have that option.

Regards

Karthik

turbo_engine26 · ‎07-20-2014

There is no such dynamic option of deleting an ACL of not being hit by packets for a specific source/destination for a specified period of time.

The only option you got is to use time-based ACL and set the time that you want for that source/destination traffic. Time-based ACL is as flexible as water. You can set it to use recurring time or absolute time, which is your case.

Firewall(config)# time-range Temp_Worker

Firewall(config-time-range)# absolute [start hh:mm day month year] [end hh:mm day month year]

Hope this helps.

AM