Time Based ACL Configuration

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

Time based ACLs were introduced in Cisco IOS 12.0.1.T. They allow for access control based on time.

A time range could be periodic (certain or recurring time of day or week) or absolute (start time to end time). Because time based ACLs rely on router system clock, the router time should be configured properly, either manually or using Network Time Protocol (NTP)

Scenario

Suppose the you have the following requirement

Users can access the company web server from 8:00am to 5:00pm only. The company web server’s IP address is 192.168.1.2

Configuration Steps

Define time range
Use the defined time range in ACLs
Finally, apply to an interface

Configuration

Define time range

Router(config)#time-range OFFICE_TIME
Router(config-time-range)#periodic ?
  Friday     Friday
  Monday     Monday
  Saturday   Saturday
  Sunday     Sunday
  Thursday   Thursday
  Tuesday    Tuesday
  Wednesday  Wednesday
  daily      Every day of the week
  weekdays   Monday thru Friday
  weekend    Saturday and Sunday

Router(config-time-range)#periodic daily 08:00 to 17:00
Router(config-time-range)#

The above commands are self explanatory. Defined time range named OFFICE_TIME which will be active daily from 8:00am to 5:00pm.

Define access list using the above time range OFFICE_TIME. Permit traffic during office hour to our web server at 192.168.1.2
Drop all traffic to the web server after 5:00pm.

Router(config)#access-list 101 remark OFFICE_TIME_WWW
Router(config)#access-list 101 permit tcp any host 192.168.1.2 eq www time-range OFFICE_TIME
Router(config)#access-list 101 deny tcp any host 192.168.1.2 eq www
Router(config)#access-list 101 permit ip any any
Router(config)#

Apply access list 101 to an interface.

Router(config)#interface fastEthernet 0/0
Router(config-if)#ip access-group 101 in

Conclusion

The above configuration should work fine. The IP address and the interface used might be different depending on the network topology but the configuration concept should be same.
That it for this tutorial. Enjoy.

ACL, Cisco, IOS

About the author

Multi skilled Cisco network engineer, web programmer and system administrator, lost in different career path :-)

This entry was posted by Arsalan A. Suzuki on August 8, 2010 at 9:00 pm, and is filed under Cisco, IOS, Security. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

Related Posts
Comments (0)

No comments yet.

No trackbacks yet.

Basic Frame Relay Configuration

about 6 months ago - 446No commentsBasic+Frame+Relay+Configuration2011-08-09+16%3A18%3A32Arsalan+A.+Suzuki

This article shows how to configure basic frame relay without using inverse ARP. We’ll be using the above topology for the configuration. The IP addresses of the routers are 192.168.1.X, where X is the router number. Configuration Steps Assign IP address to the serial interface Configure frame relay encapsulation Set frame map for each router…

Ping Multiple Addresses Using TCL Script Part 2

about 7 months ago - 431No comments2011-06-18+06%3A08%3A44Arsalan+A.+Suzuki

Part 1 of this tutorial showed how to ping multiple IP addresses using TCL script. This tutorial will further refine the script which was in Part 1. Instead of foreach loop, we will be using for loop to make the script shorter. TCL Script Here is the sample script for { set i 1 }…

Ping Multiple Addresses Using TCL Script Part 1

about 7 months ago - 406No comments2011-06-14+00%3A45%3A45Arsalan+A.+Suzuki

There might be situation where you might need to ping multiple IP addresses to check the full connectivity between devices. This tutorial shows you exactly how to do that using TCL script. I’ll be explaining how it works in details so you don’t need to have any programming or scripting experience. TCL Script Below is…

Enable Telnet Access on Cisco Router

about 8 months ago - 373No commentsEnable+Telnet+Access+on+Cisco+Router2011-05-16+19%3A10%3A37Arsalan+A.+Suzuki

This short tutorial shows how to enable telnet access on the router. Configuration Use the following commands to enable telnet access to the router. First check how many virtual terminal router supports. (Depending on the router model, the output might be different) Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#line vty…

Cisco ūmi Home Telepresence on Your TV Set

about 1 year ago - 321No comments2010-10-07+08%3A26%3A22Arsalan+A.+Suzuki

Cisco announced Umi, a video conferencing appliance for typical consumers. Umi consists of camera mounted to the top of the screen which can capture Full HD 1080p video at 30 frames per second. The camera is connected to a device which act as a internet gateway for the TV. Umi which is scheduled to be…

Configuring Port Aggregation with EtherChannel

about 1 year ago - 308No comments2010-10-04+16%3A28%3A50Arsalan+A.+Suzuki

What is EtherChannel? EtherChannel is a link aggregation technology used primarily on Cisco switches. It can bundle two to eight physical port of the same Ethernet media type and speed. All bundled ports must have similar configuration. EtherChannel can be used to increase bandwidth, provide redundancy and load balance traffic EtherChannel Negotiation Protocols Cisco supports…

Configuring VLAN Access Control Lists (VACL)

about 1 year ago - 302No comments2010-09-27+14%3A10%3A27Arsalan+A.+Suzuki

What is VLAN Access Control Lists (VACL) used for? VLAN Access Control Lists (VACL) can be used to filter traffic within the same vlan Scenario Suppose a host is connected to VLAN 2 and we are required to drop all telnet traffic within VLAN 2. Configuration Make an access list to match telnet traffic Router(config)#access-list…

Configuring DHCP Snooping

about 1 year ago - 297No commentsConfiguring+DHCP+Snooping2010-09-09+13%3A34%3A34Arsalan+A.+Suzuki

What is DHCP Snooping DHCP snooping is a security feature inteneded to prevent rogue DHCP server from sending malicious DHCP replies. When DHCP snooping is enabled, the switch intercept all the DHCP requests, and discards DHCP replies coming from “untrusted” ports. The offending switch ports are automatically shut down and put in errdisable state. DHCP…

Cisco IOS Tips: Reload Command Explained

about 1 year ago - 247No comments2010-08-31+10%3A07%3A55Arsalan+A.+Suzuki

I guess the reload command is self explanatory. It reboots the router. Reload command can take two different kind of timer Execute at specific time or date (e.g at 11:00) Execute after certain number of minutes (e.g after 30mins) Note : The router clock must be set before the reload command can work properly. CLI…

Cisco IOS Tips: Display Interface The Smart Way

about 1 year ago - 238No comments2010-08-29+11%3A11%3A29Arsalan+A.+Suzuki

Use the following command to dsplay brief summary of interfaces Router#show ip interface brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 192.168.1.2 YES manual up up FastEthernet0/1 192.168.10.2 YES manual up up FastEthernet1/0 unassigned YES unset up down FastEthernet1/1 unassigned YES unset up down FastEthernet1/2 unassigned YES unset up down FastEthernet1/3 unassigned YES unset up…