Courses  Forum Support Welcome, Landry!

 Search … 

You are here: Home » Cisco » CCNA 200-301

Cisco IOS Time Based Access-List 

Sometimes it might be useful to block certain tra c on speci c days or during business hours. For Course Contents
example, maybe you want to block all facebook tra c from monday to friday between 9:00 – 17:00.
CCNA 200-301

We can achieve this by using time ranges in our access-lists. When you use these, the statement in the
 Unit 1: Introduction
access-list will only be active during the time range that you speci ed. Let’s take a look at an example!
 Unit 2: Network Fundamentals

1. Configuration
 Unit 3: Network Access

 Unit 4: IP Connectivity

 Unit 5: IP Services
To demonstrate the time based access-list I will use the following topology:
 Unit 6: IPv6

 Unit 7: Security Fundamentals

  7.1 Access-Lists

Introduction to Access-Lists

Wildcard Bits

Standard Access-List

Extended Access-List

Time-based Access-List

 7.2 Misc

 Unit 8: Network Management

 Unit 9: Network Design

Unit 10: Automation and


Programmability

 Unit 11: Cloud Computing

 Unit 12: Practice Exam

Above we have three routers, imagine that R1 is a user on a computer and R3 is some webserver. We want
to prevent access from R1 to the webserver on R3 on business days between 9:00 – 17:00. We will
con gure the time based access-list on R2.

The time range command relies on the clock so make sure the time and date is correct:

R2#clock set 12:48:00 14 July 2015

Normally it would be better to use NTP but for this example I’ll con gure it manually. Now we can
con gure a time range:

R2(config)#time-range WORK_HOURS
R2(config-time-range)#periodic ?
Friday Friday
Monday Monday
Saturday Saturday
Sunday Sunday
Thursday Thursday
Tuesday Tuesday
Wednesday Wednesday
daily Every day of the week
weekdays Monday thru Friday
weekend Saturday and Sunday

There are quite some options, we can select a speci c day or you can use some ranges like weekdays,
weekend, etc. Let’s go for the weekdays:

R2(config-time-range)#periodic weekdays 09:00 to 17:00

We now have a time range called “WORK_HOURS” for business hours. Let’s create an access-list:

R2(config)#ip access-list extended NO_FACEBOOK

R2(config-ext-nacl)#deny tcp any host 192.168.23.3 eq 80 time-range WORK_HOURS
R2(config-ext-nacl)#permit ip any any

The access-list above has a statement that blocks tra c to TCP port 80 on 192.168.23.3 but only for the
time range that we speci ed. Let’s activate it on the interface:

R2(config)#interface FastEthernet 0/0

R2(config-if)#ip access-group NO_FACEBOOK in

Now we can try to connect to R3 from R1:

R1#telnet 192.168.23.3 80
Trying 192.168.23.3, 80 ...
% Destination unreachable; gateway or host down

We can’t connect to the webserver on R3. Is this because of our time range? Let’s nd out:

R2#show access-lists
Extended IP access list NO_FACEBOOK
10 deny tcp any host 192.168.23.3 eq www time-range WORK_HOURS (active) (3 matches)
20 permit ip any any

Above you can see that the time range is currently active and that we have some matches on the access-
list. Just for fun, let’s change the clock so that we are operating outside of business hours:

R2#clock set 21:00:00 14 July 2015

Now we can try to connect again:

R1#telnet 192.168.23.3 80
Trying 192.168.23.3, 80 ... Open

We are now able to connect to R3. Let’s check the access-list:

R2#show access-lists
Extended IP access list NO_FACEBOOK
10 deny tcp any host 192.168.23.3 eq www time-range WORK_HOURS (inactive) (3
matches)
20 permit ip any any (4 matches)

The time range is now inactive.

Con gurations R1 R2 R3

Want to take a look for yourself? Here you will nd the nal con guration of each device.

That’s all there is to it, I hope this example has been useful. If you have any questions feel free to leave a
comment!

« Previous Lesson
Extended Access-List
Next Lesson
Port-Security »
 Tags: ACL, Security

Forum Replies

ReneMolenaar

Hi Ruby,

The time based access-list is basically the “poor man’s” solution to block access on routers. You can use access-lists only to lter on L3/L4 information (IP addresses, protocols and port
numbers) so you can’t lter based on hostnames.

One way to get around this is to block all pre xes that belong to a certain AS. For example, facebook uses AS 32934. We can nd their pre xes with whois:

$ whois -h whois.radb.net -- '-i origin AS32934' | grep 'route:'

route: 204.15.20.0/22
route: 69.63.176.0/20
route: 66.220.144.0/20
route: 66.

... Continue reading in our forum

Zaman.rubd

Dear Rene,

Thanks for your article…

What will be the command periodic if we want to block tra c from Sunday to Thrusday ?

br//
zaman

mail4thanseer

Hi Rene,
In our client network,
The Cisco Layer 2 Switch 2960G port 15 which is connected to the L2VPN MPLS-TP network and each month or time not remembering , the port is getting down and they are changing
the port to other 16 Which was also con gured for the same service. Once contractor was done this but client want to know if there is any time based port security is enable or no, Kindly
share your advise.

mayorade2000

https://cdn-forum.networklessons.com/letter_avatar_proxy/v4/letter/z/45deac/40.png

Zaman.rubd:
we want to block tra c from Sunday to Thrusday ?

@ReneMolenaar @lagapides can you please give a speci c con guration example of how the con guration will be to use the periodic command for Sunday to Thursday?.

mayorade2000

thanks Laz that was helpful

 4 more replies! Ask a question or join the discussion by visiting our Community Forum

© 2013 - 2021 NetworkLessons.com 38423 Disclaimer Privacy Policy Support About