Timed Access Lists

Different Rules, Different Hours

Timed access lists give you the ability to use a different policy within a specific time range. This can be handy as way to enforce different rules during a planned maintenance window, peak hours, or off hours.

As a simple example, all traffic is permitted during normal business hours, Monday through Friday. During the peak hour of 10am to noon, Monday through Friday, FTP transfers are not allowed. The maintenance window allows ICMP traffic from midnight to 1am on April 1st. And the remaining time would be considered off hours, with traffic being dropped.

Combining With Other Options

A more realistic example might involve other technologies such as policy-based routing. This would allow you tie in an action, such as changing the traffic pattern during peak hours. The example here keeps things simple to highlight how timed ACLs work.

Example

time-range PEAKHOURS
periodic weekdays 10:00 to 12:00
!
time-range BUSINESSHOURS
periodic weekdays 7:00 to 19:00
!
time-range MAINTENANCE
absolute start 00:00 1 April 2019 end 01:00 1 April 2019
!
ip access-list extended hammertime
permit ip any any time-range BUSINESSHOURS
deny tcp any any eq ftp time-range PEAKHOURS
permit icmp any any time-range MAINTENANCE
deny ip any any

int f0/0
ip access-group hammertime out

Operation

The ACL works from the top down. It first checks to see if it is currently within BUSINESSHOURS. If this is true, it enforces that line. The remaining lines are not checked. If instead, it is currently a time other than BUSINESSHOURS, it looks to the next line of the ACL and repeats the process.

In this example, if the current time does not match BUSINESSHOURS, PEAKHOURS, or MAINTENANCE, the traffic is dropped.