An access list is a sequential list consisting of at least one permit statement and possibly one or more deny statements that apply to IP addresses and possibly upper-layer IP protocols. Time-based ACLs is a Cisco feature introduced in the Release 12.0.1.T to allow access control based on time. The time range, identified by a name, can be ‘absolute‘ or ‘periodic‘.
Use time-based access list is easy and can be useful in some situations. To implement it, you need:
- Define time-range
- Define ACL, where the time-range is applied to
- Apply ACL; for istance: to the interface, to the vty, to the control-plane, …
Examples #1: Periodic Time
Permit SSH router access on the weekends from 8:00 to 22:00.
- Define time-range
Ciscozine(config)#time-range time-ssh Ciscozine(config-time-range)#periodic weekend 08:00 to 22:00
- Define ACL
Ciscozine(config)#ip access-list extended permit-ssh Ciscozine(config-ext-nacl)#permit tcp any any eq 22 time-range time-ssh
- Apply ACL
Ciscozine(config)#line vty 0 4 Ciscozine(config-line)#access-class permit-ssh in
Example #2: Absolute time
Block SNMP protocol from 1st March 2011:
- Define time-range
Ciscozine(config)#time-range time-snmp Ciscozine(config-time-range)#absolute start 00:00 1 March 2011
- Define ACL
Ciscozine(config)#ip access-list extended deny-snmp Ciscozine(config-ext-nacl)#deny udp an an eq snmp time-range time-snmp Ciscozine(config-ext-nacl)#permit ip any any
- Apply ACL
Ciscozine(config)#interface fastEthernet 0/1 Ciscozine(config-if)#ip access-group deny-snmp in
Remember: To check if a time-based access lists is active or not, use the ‘show ip access-list’ or the ‘show time-range’ command
Below the video with the two examples:
References: http://www.cisco.com/…products_tech_note.shtml#timebasedtimerange
