An access list is a sequential list consisting of at least one permit statement and possibly one or more deny statements that apply to IP addresses and possibly upper-layer IP protocols. Time-based ACLs is a Cisco feature introduced in the Release 12.0.1.T to allow access control based on time. The time range, identified by a name, can be ‘absolute‘ or ‘periodic‘.
Use time-based access list is easy and can be useful in some situations. To implement it, you need:
- Define time-range
- Define ACL, where the time-range is applied to
- Apply ACL; for istance: to the interface, to the vty, to the control-plane, …
Examples #1: Periodic Time
Permit SSH router access on the weekends from 8:00 to 22:00.
- Define time-range
Ciscozine(config)#time-range time-ssh Ciscozine(config-time-range)#periodic weekend 08:00 to 22:00
- Define ACL
Ciscozine(config)#ip access-list extended permit-ssh Ciscozine(config-ext-nacl)#permit tcp any any eq 22 time-range time-ssh
- Apply ACL
Ciscozine(config)#line vty 0 4 Ciscozine(config-line)#access-class permit-ssh in
Example #2: Absolute time
Block SNMP protocol from 1st March 2011:
- Define time-range
Ciscozine(config)#time-range time-snmp Ciscozine(config-time-range)#absolute start 00:00 1 March 2011
- Define ACL
Ciscozine(config)#ip access-list extended deny-snmp Ciscozine(config-ext-nacl)#deny udp an an eq snmp time-range time-snmp Ciscozine(config-ext-nacl)#permit ip any any
- Apply ACL
Ciscozine(config)#interface fastEthernet 0/1 Ciscozine(config-if)#ip access-group deny-snmp in
Remember: To check if a time-based access lists is active or not, use the ‘show ip access-list’ or the ‘show time-range’ command
Below the video with the two examples:
References: http://www.cisco.com/…products_tech_note.shtml#timebasedtimerange
Today I’ve read somewhere that “Time Based ACL, it starts with the 1st second of the first minute and ends up with the last second of the last minute… if want to block traffic, like from 08:00 to 14:00
u should do
periodic daily 08:00 to 13:59”