Configuring Time−Based Access Lists
To configure time−based access lists, perform the following steps:
1.Use the time−range name command to define the name of the timed access list. Issuing this command moves you into time−range configuration mode.
2.Use either of the following commands to specify when the timed access list should be in effect:
absolute <start time date> <end time date>
periodic <days−of−the−week> hh:mm to <days−of−the−week> hh:mm
When using the periodic parameter, you may define multiple ranges. When using the absolute parameter, only one range may be defined. The day(s)−of−the−week parameter can be specified as any day of the week or a combination of days using the Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, or Sunday keyword. There are also three other options that may be used: The daily keyword represents Monday through Sunday. The weekend keyword specifies Saturday and Sunday, and the weekday keyword specifies Monday through Friday.
3.Define an extended numbered access list as described earlier using the command and bind the time range to the access list:
access−list <access−list−number> <deny | permit> protocol −
<source source−wildcard> <destination destination−wildcard>−
<precedence precedence−value> <tos tos−value> −
<log | log−input>
4.Use this command to apply the access list to the interface:
ip access−group <access−list−number> <in | out>
In the first example, I will configure time−based access lists using only periodic statements with extended numbered access lists. In this configuration, I would like to permit FTP traffic only on the weekdays from 7:00 A.M. to 6:00 P.M., deny all HTTP traffic on the weekend, permit TFTP traffic only on the weekend from noon to 8:00 P.M., and permit Telnet traffic only on Saturday from noon to 8:00 P.M. Listing 7.29 displays the configuration needed to meet these requirements.
Listing 7.29: Timed access list using numbered access list.
periodic weekdays 07:00 to 18:00
periodic weekend 00:00 to 23:59
periodic weekend 12:00 to 20:00
periodic saturday 12:00 to 20:00
access−list 120 permit tcp any any eq 21 time−range permit−ftp
access−list 120 deny tcp any any eq 80 time−range deny−http
access−list 120 permit udp any any eq 69 time−range permit−tftp
access−list 120 permit tcp any any eq 23 time−range −
ip access−group 120 in
To monitor the access list, issue the show access−lists command. This will display results that tell you whether the access list is active or inactive. An active state means the access list is currently in use, and an inactive state means the access list is currently not in use. Here are the results of issuing this command to monitor the access list configured in Listing 7.30:
Extended ip access list 120
permit tcp any any eq 21 time−range permit−ftp (inactive)
deny tcp any any eq 80 time−range deny−http (inactive)
permit udp any any eq 69 time−range permit−tftp (inactive)
permit tcp any any eq 23 time−range permit−telnet (inactive)
Time−based access lists can also be configured using the absolute argument with extended numbered access lists or with extended named access lists. The next example shows how to configure a time−based access list using the absolute argument and binding the time range to an extended named access list. This access list should deny HTTP traffic during a preplanned Web−server outage within the year, and it should permit FTP traffic to a different server for the entire year of 2004. It should also permit TFTP traffic from the time the access list applied until the 11th of February 2004 and permit Telnet traffic until the end of the year 2004. Listing 7.30 displays the configuration needed to meet these requirements.
Listing 7.30: Timed access list using named access list.
absolute start 06:00 1 January 2004 end 23:59 31 December 2004
absolute start 00:00 24 November 2004 end 06:00 26 November 2004
absolute end 17:50 11 February 2004
absolute end 23:59 31 December 2004
ip access−list extended absolute−list
permit tcp any host 192.168.10.234 eq 21 time−range permit−ftp
deny tcp any host 192.168.10.233 eq 80 time−range deny−http
permit udp any any eq 69 time−range permit−tftp
permit tcp any any eq 23 time−range permit−telnet
ip access−group absolute−list in
As with the numbered access list, you can monitor the time−based named access list by issuing the show access−lists command. This will display results that tell you whether the access list is active or inactive. An active state means the access list is currently in use, and an inactive state means the access list is currently not in use. Here are the results of issuing this command to monitor the access list defined in Listing 7.30 :
Extended ip access list absolute−list
deny tcp any host 192.168.10.233 eq 80 time−range −
permit udp any any eq 69 time−range permit−tftp (active)
permit tcp any any eq 23 time−range permit−telnet (active)
permit tcp any host 192.168.10.234 eq 21 time−range −
Note Because of the format limitations of this book, some lines of code listed above have been broken with a hyphen.