Hydra 1303

All News Items

Timed Access Lists

from the Hydra High Council Mar 5th 2019

Different Rules, Different Hours

Timed access lists give you the ability to use a different policy within a specific time range. This can be handy as way to enforce different rules during a planned maintenance window, peak hours, or off hours.

As a simple example, all traffic is permitted during normal business hours, Monday through Friday. During the peak hour of 10am to noon, Monday through Friday, FTP transfers are not allowed. The maintenance window allows ICMP traffic from midnight to 1am on April 1st. And the remaining time would be considered off hours, with traffic being dropped.

Combining With Other Options

A more realistic example might involve other technologies such as policy-based routing. This would allow you tie in an action, such as changing the traffic pattern during peak hours. The example here keeps things simple to highlight how timed ACLs work.


time-range PEAKHOURSperiodic weekdays 10:00 to 12:00!time-range BUSINESSHOURSperiodic weekdays 7:00 to 19:00!time-range MAINTENANCEabsolute start 00:00 1 April 2019 end 01:00 1 April 2019!ip access-list extended hammertimepermit ip any any time-range BUSINESSHOURSdeny tcp any any eq ftp time-range PEAKHOURSpermit icmp any any time-range MAINTENANCEdeny ip any anyint f0/0ip access-group hammertime out


The ACL works from the top down. It first checks to see if it is currently within BUSINESSHOURS. If this is true, it enforces that line. The remaining lines are not checked. If instead, it is currently a time other than BUSINESSHOURS, it looks to the next line of the ACL and repeats the process.

In this example, if the current time does not match BUSINESSHOURS, PEAKHOURS, or MAINTENANCE, the traffic is dropped.