Security 
Time-based ACLs are useful when you want to restrict traffic based on the time of day. For example, you might employ time-based ACLs if you wanted to only allow web surfing during a particular time of day or allow access to a particular server only during work hours. We will be exploring these scenarios in this tutorial.
Let’s say you had the following requirement:
“Users should only be allowed to access the Web Server located at the IP address of 192.168.1.254 during work hours. After work, users should not have access to this web server. All other traffic should be allowed.”
Seems simple enough. We will define work hours as Monday to Friday 9:00am to 5:00pm (you wish!). Most people when given this problem respond with this (or something similar):
time-range WORK-HOURS periodic weekdays 9:00 to 17:00 ! ip access-list extend DENY-WEB permit tcp any host 192.168.1.254 eq www time-range WORK-HOURS permit ip any any
We have defined a time-range called WORK-HOURS. WORK-HOURS is defined as including all times between 9am to 5pm Monday to Friday. Cool. Exactly what we want. We have then defined an access-list called DENY-WEB that matches tcp traffic destined to the host during the time-range WORK-HOURS. Everything else is permitted.
At first glance this looks fine, but it will not work.
Let’s examine why this will not work. Lets pretend it is Monday morning at 10am. The user hops on and points his browser to http://192.168.1.254. The first rule of the access list will be matched and then access is granted. Cool. This is the behaviour we want.
Now let’s pretend it is Monday night at 6pm. The same user hops on and points his browser to http://192.168.1.254. The first line of the access list will not be matched because it is not during the WORK-HOURS time range. All the conditions on the access-list line must be matched, so we go to the next rule defined in the access-list. We will match this rule (permit ip any any) and the traffic will also be allowed. This is obviously not what we want!
time-range WORK-HOURS periodic weekdays 9:00 to 17:00 ! ip access-list extend DENY-WEB permit tcp any host 192.168.1.254 eq www time-range WORK-HOURS deny tcp any host 192.168.1.254 eq www permit ip any any
Much better. Now when the first rule is not matched, we will allow everything except for traffic destined for the web server.
Let’s say we have a new requirement:
During work hours users must be able to access web sites only through a proxy server located at 192.168.1.254. The proxy server is listening on tcp port 3128. After work hours users should be granted full access to any IP address and any website. During work hours the only thing they should be able to access is the proxy server. Do not create two time-ranges for this.
Hmmm. Lets try this:
time-range WORK-HOURS periodic weekdays 9:00 to 17:00 ! ip access-list extend DENY-WEB permit tcp any host 192.168.1.254 eq 3128 time-range WORK-HOURS permit ip any any
This is what most people that I presented this problem too responded with. This is incorrect. Lets have a look at a few use-cases to determine why. Lets pretend its Monday at 10am. The user tries to browse to cisco.com directly instead of going through a proxy server. The first rule of access list will not be matched. The time range is matched, but the destination address will be cisco.com not the address of the proxy server. The next rule will then be matched (permit ip any any). This will allow access to cisco.com during work hours without going through the proxy server which is not what we want.
We could try:
time-range NON-WORK-HOURS periodic weekend 0:00 to 23:59 periodic weekdays 0:00 to 8:59 periodic weekdays 17:01 to 23:59 ! time-range WORK-HOURS periodic weekdays 9:00 to 17:00 ! ip access-list extend DENY-WEB permit tcp any host 192.168.1.254 eq 3128 time-range WORK-HOURS permit ip any any time-range NON-WORK-HOURS
This will work. On Monday at 9:30am, a user tries to access cisco.com directly instead of going through a proxy server. As per the requirement, this shouldn’t be allowed. The first rule of the access-list will not be matched. The time range is matched, but the destination address will be cisco.com not the address of the proxy server.
The second rule will also not be matched as it does not match the time-range NON-WORK-HOURS (ie. its during work time). The packet will be dropped which is exactly what we want to happen. Unfortunately, this will not meet the requirement of “Do not create two time-ranges for this”. DAMN! So how do we do this?
time-range NON-WORK-HOURS periodic weekend 0:00 to 23:59 periodic weekdays 0:00 to 8:59 periodic weekdays 17:01 to 23:59 ! ip access-list extend DENY_WEB permit ip any any time-range NON-WORK-HOURS permit tcp any host 192.168.1.254 eq 3128
We have an access list that matches IP traffic only for the time-range NON-WORK-HOURS. During work hours we can only access the proxy server at 192.168.1.254 on tcp port 3128 Everything else will be blocked. Awesome, just what we wanted!
HTH! 
Arden Packeer currently is a Cisco Certified Internetwork Expert (CCIE #20716) working in the Advanced Services team at Cisco Systems (Melbourne, Australia). He has more than 10 years with specialisations in datacentre networks, large scale service provider networks, and more recently virtualisation and cloud deployments. Arden also likes writing about himself in the third person because it makes him sound important. :)
Tutorial: OSPF Network Types & Frame-Relay Series
© 2012 Arden Packeer. All rights Reserved. | The views expressed herein are the opinion of the author, not my employer, any manufacturer (Cisco or otherwise), or any of their affiliates. | Trademarks: All trademarks and registered trademarks are the property of their respective owners. | Privacy Policy | Terms & Conditions
Comments (8)