Time-Based access lists

An access list is a sequential list consisting of at least one permit statement and possibly one or more deny statements that apply to IP addresses and possibly upper-layer IP protocols. Time-based ACLs is a Cisco feature introduced in the Release 12.0.1.T to allow access control based on time. The time range, identified by a name, can be ‘absolute‘ or ‘periodic‘.

Use time-based access list is easy and can be useful in some situations. To implement it, you need:

  1. Define time-range
  2. Define ACL, where the time-range is applied to
  3. Apply ACL; for istance: to the interface, to the vty, to the control-plane, …

Examples #1: Periodic Time
Permit SSH router access on the weekends from 8:00 to 22:00.

  1. Define time-range
    Ciscozine(config)#time-range time-ssh
    Ciscozine(config-time-range)#periodic weekend 08:00 to 22:00
  2. Define ACL
    Ciscozine(config)#ip access-list extended permit-ssh
    Ciscozine(config-ext-nacl)#permit tcp any any eq 22 time-range time-ssh
  3. Apply ACL
    Ciscozine(config)#line vty 0 4
    Ciscozine(config-line)#access-class permit-ssh in

Example #2: Absolute time
Block SNMP protocol from 1st March 2011:

  1. Define time-range
    Ciscozine(config)#time-range time-snmp
    Ciscozine(config-time-range)#absolute start 00:00 1 March 2011
  2. Define ACL
    Ciscozine(config)#ip access-list extended deny-snmp
    Ciscozine(config-ext-nacl)#deny udp an an eq snmp time-range time-snmp
    Ciscozine(config-ext-nacl)#permit ip any any
  3. Apply ACL
    Ciscozine(config)#interface fastEthernet 0/1
    Ciscozine(config-if)#ip access-group deny-snmp in

Remember: To check if a time-based access lists is active or not, use the ‘show ip access-list’ or the ‘show time-range’ command

Below the video with the two examples:

References: http://www.cisco.com/…products_tech_note.shtml#timebasedtimerange