10.1 Access Lists
10.1.3 Time-based extended access list syntax
Today's network security policies demand that access lists do more than use destination and source addresses to statically define whether a protocol is permitted. In some cases, an administrator may determine that certain traffic is permissible only during business hours, or that users have access to specific resources only at fixed times of day. This is possible using a time-based access list. Since IOS release 12.01(T), it is possible to implement time-based access lists based on the time of day and week by using the time-range command. There are many possible benefits of using time ranges, including the following:
  • To provide more control over permitting or denying a user access to resources; these resources could be an application (identified by an IP address/mask pair and a port number), or an on-demand link (identified as interesting traffic to the dialer).
  • To set time-based security policy, including the following:
  • Perimeter security using the Cisco IOS Firewall feature set or access lists
  • Data confidentiality with Cisco Encryption Technology or IP Security Protocol (IPSec)
  • To provide enhanced policy-based routing and queuing functions
  • To automatically reroute traffic cost effectively when provider access rates vary by time of day
  • To support the quality of service (QoS) service-level agreements (SLAs) that are negotiated for certain times of day when service providers can dynamically change a committed access rate (CAR) configuration
  • To control logging messages. Access list entries can log traffic at certain times of the day, but not constantly. Therefore, administrators can simply deny access without needing to analyze many logs generated during peak hours.

To implement a time-based extended access list, first define the name and times of the day and week of the time range, and then reference the time range by name in an access list. To apply restrictions to the access list, using the following steps:

  1. Define a time range using a name:

    router(config)#time-range time-range-name

  2. In time-range configuration mode, use the periodic command, the absolute command, or some combination of them to define when the feature is in effect. Multiple periodic commands are allowed in a time range; only one absolute command is allowed. The periodic keyword specifies a recurring (weekly) start and end time for a time range. The absolute keyword specifies an absolute start and end time for a time range:

    router(config-time-range)# periodic days-of-the-week hh:mm to[days-of-the-week] hh:mm

    router(config-time-range)# absolute [start time date] [end time date]


    The
    periodic command will take the following arguments: Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday. Other possible values are daily (Monday through Sunday), weekdays (Monday through Friday), and weekend (Saturday and Sunday).

  3. Exit the time-range configuration mode:

    router(config-time-range)#exit

Currently, IP and IPX named or numbered extended access lists are the only functions that can use time ranges. The time range allows the network administrator to define when the permit or deny statements in the access list are in effect. Prior to this feature, access list statements were always in effect once they were applied.

In the figure, RTA is configured with the named access list STRICT, which references two time ranges, NO-HTTP and UDP-YES. NO-HTTP is used in conjunction with a deny statement to prevent web traffic weekdays from 8 A.M. to 6 P.M. The UDP-YES time range is used with a permit statement to allow all UDP traffic on weekends, from 12 noon to 8 P.M.