Time-based ACLs
Ever since Cisco released IOS 12.0.1T we’ve had the ability to broaden the reach of the extended ACL to allow the influence of time. Time-based ACLs reference a time range that is identified by a name, during that time the ACL is in effect. The time range relies on the router system clock. While router clock can be used, everything works better when using Network Time Protocol (NTP) synchronization.
Lets say company XYZ has realized that many of its employees are surfing the web during the day. They’ve asked you to block all web access during work hours. Simple enough, right? First we’ll define XYZ work hours within a time range. These are Monday – Friday 8:00am to 5:00pm. Next, we have to define the ACL that we’ll apply on our interface.
time-range XYZ-WORK-HOURS
periodic weekdays 8:00 to 17:00
!
ip access-list extend DENY-WEB
deny tcp any any eq www time-range WORK-HOURS
permit ip any anyThe morning after you make this change, the CEO of XYZ calls you in a panic. Apparently his company depends on an external web app… He now wants you to allow traffic to this server at 198.19.2.5 during work hours only. When configuring this condition we need to be careful — forgetting to add the deny statement shown in bold below will cause undesired results due to the explicit permit any at the end of the ACL.
ip access-list extend DENY-WEB
permit tcp any host 198.19.2.5 eq www time-range WORK-HOURS
deny tcp any host 198.19.2.5 eq www
deny tcp any any eq www time-range WORK-HOURS
permit ip any anyNow, lets move outside the realm of a simple ACL. Lets say you wanted to apply QoS to some traffic, but only during a specified time. Lets say, FTP traffic from 2:00am – 4:00am daily. Lucky for you you can apply a time-range to an ACL used in a class-map!
time-range EARLY-AM
periodic daily 2:00 to 4:00
!
ip access-list extended BACKUP-TRAFFIC
permit tcp any any eq ftp time-range EARLY-AM
!
class-map match-all BACKUP-TRAFFIC
match access-group name BACKUP-TRAFFIC
!
policy-map XYZ-remark
class BACKUP-TRAFFIC
set dscp af11
...