Cisco IOS Time Based Access-List

ReneMolenaar · December 29, 2016, 7:54pm

This topic is to discuss the following lesson:

https://networklessons.com/cisco/ccie-routing-switching-written/cisco-ios-time-based-access-list/

rprihar · October 28, 2015, 5:30pm

is this how most companies block access, i think we use something called websense?

also with facbeook having so many webservers in a farm for redundancy would you in real world scendario block by ip, or hostname?

ReneMolenaar · October 29, 2015, 9:47am

Hi Ruby,

The time based access-list is basically the “poor man’s” solution to block access on routers. You can use access-lists only to filter on L3/L4 information (IP addresses, protocols and port numbers) so you can’t filter based on hostnames.

One way to get around this is to block all prefixes that belong to a certain AS. For example, facebook uses AS 32934. We can find their prefixes with whois:

$ whois -h whois.radb.net -- &#039;-i origin AS32934&#039; | grep &#039;route:&#039;
route: 204.15.20.0/22
route: 69.63.176.0/20
route: 66.220.144.0/20
route: 66.220.144.0/21
route: 69.63.184.0/21
route: 69.63.176.0/21
route: 74.119.76.0/22
route: 69.171.255.0/24
route: 173.252.64.0/18
route: 69.171.224.0/19
route: 69.171.224.0/20
route: 103.4.96.0/22
route: 69.63.176.0/24
route: 173.252.64.0/19
route: 173.252.70.0/24
route: 31.13.64.0/18
route: 31.13.24.0/21
route: 66.220.152.0/21
route: 66.220.159.0/24
route: 69.171.239.0/24
route: 69.171.240.0/20
route: 31.13.64.0/19
route: 31.13.64.0/24
route: 31.13.65.0/24
route: 31.13.67.0/24
route: 31.13.68.0/24
route: 31.13.69.0/24
route: 31.13.70.0/24
route: 31.13.71.0/24
route: 31.13.72.0/24
route: 31.13.73.0/24
route: 31.13.74.0/24
route: 31.13.75.0/24
route: 31.13.76.0/24
route: 31.13.77.0/24
route: 31.13.96.0/19
route: 31.13.66.0/24
route: 173.252.96.0/19
route: 69.63.178.0/24
route: 31.13.78.0/24
route: 31.13.79.0/24
route: 31.13.80.0/24
route: 31.13.82.0/24
route: 31.13.83.0/24
route: 31.13.84.0/24
route: 31.13.85.0/24
route: 31.13.86.0/24
route: 31.13.87.0/24
route: 31.13.88.0/24
route: 31.13.89.0/24
route: 31.13.90.0/24
route: 31.13.91.0/24
route: 31.13.92.0/24
route: 31.13.93.0/24
route: 31.13.94.0/24
route: 31.13.95.0/24
route: 69.171.253.0/24
route: 69.63.186.0/24
route: 31.13.81.0/24
route: 179.60.192.0/22
route: 179.60.192.0/24
route: 179.60.193.0/24
route: 179.60.194.0/24
route: 179.60.195.0/24
route: 185.60.216.0/22
route: 45.64.40.0/22
route: 185.60.216.0/24
route: 185.60.217.0/24
route: 185.60.218.0/24
route: 185.60.219.0/24
route: 129.134.0.0/16
route: 157.240.0.0/16
route: 204.15.20.0/22
route: 69.63.176.0/20
route: 69.63.176.0/21
route: 69.63.184.0/21
route: 66.220.144.0/20
route: 69.63.176.0/20

You could create a script that fetches these prefixes and updates your access-list every now and then.

For some more “serious” security, we use firewalls. Some firewalls are able to inspect the application layer so we can drop traffic based on the URL, payload, etc.

Rene

Zaman.rubd · October 9, 2016, 8:48am

Dear Rene,

Thanks for your article…

What will be the command periodic if we want to block traffic from Sunday to Thrusday ?

br//
zaman

ReneMolenaar · October 10, 2016, 4:59pm

Hi Zaman,

You can use some of the default periodic options:

Router(config-time-range)#periodic ?
  Friday     Friday
  Monday     Monday
  Saturday   Saturday
  Sunday     Sunday
  Thursday   Thursday
  Tuesday    Tuesday
  Wednesday  Wednesday
  daily      Every day of the week
  weekdays   Monday thru Friday
  weekend    Saturday and Sunday

Including “weekend”.

Rene

mail4thanseer · December 4, 2018, 12:24pm

Hi Rene,
In our client network,
The Cisco Layer 2 Switch 2960G port 15 which is connected to the L2VPN MPLS-TP network and each month or time not remembering , the port is getting down and they are changing the port to other 16 Which was also configured for the same service. Once contractor was done this but client want to know if there is any time based port security is enable or no, Kindly share your advise.

lagapidis · December 13, 2018, 5:05pm

Hello Thanseerahammed

This is indeed a strange occurrence. You will have to look at the logs of the 2960 to see the reason for the disconnect of the port in the event that it is occurring because of a configuration on the switch. Do you have time based access lists set up in your switch? When you move to another port, does the service work until a month later or does it go down as well? Have you talked to the ISP to see if there is anything on their end making such behaviour occur.

Once these questions are answered, we may be able to help further…

Laz

mayorade2000 · May 13, 2019, 2:40pm

@ReneMolenaar @lagapidis can you please give a specific configuration example of how the configuration will be to use the periodic command for Sunday to Thursday?.

lagapidis · May 14, 2019, 4:35am

Hello Mayowa

The following gives an excellent example of an implementation of a time based access list. You can use this as a template and adjust the time periods to your specific needs.

I hope this has been helpful!

Laz

mayorade2000 · May 15, 2019, 3:04pm

thanks Laz that was helpful

costaoliveira404 · April 1, 2022, 7:45pm

Hi Renee,

This access-list blocks not only facebook but all the applications that uses port 80, correct? like google, youtibe, ete, correct?

deny tcp any host 192.168.23.3 eq 80 time-range WORK_HOURS

what if i just want to block facebook and leave google, youtube and so on. what is the access-list type?

Could you also write an access-list blocking a AS, Please?

lagapidis · April 6, 2022, 6:32am

Hello Costa

The ACL entry you wrote in your post does indeed block all HTTP traffic during working hours. One way to block only specific sites (such as Facebook, Google, and YouTube) is to use the technique mentioned by Rene in his post.

You can write a script that will learn all of the prefixes found within the AS of the service you want to block. Essentially you must:

Find out the AS of the services you want to block.
Run the whois feature to find the IP address prefixes belonging to this AS.
Take that output and create an ACL that blocks those particular addresses. You can do this in any of the following ways:
- using Python scripting
- using Embedded Event Manager (EEM)

This way is not recommended as it can fail in various situations. The best choice is to use a firewall or a proxy that is designed for this purpose.

However, an intermediate option is to force all of your internal hosts to use an internal DNS that you set up. You can configure that DNS to redirect any attempts to connect to a particular domain name (www.youtube.com for example) to a site of your choice, such as a page stating “Access to this content is not allowed” or something to that effect. You can have that internal DNS server relay any “allowed” requests to an external DNS. Just make sure that your ACL blocks users from attempting to make DNS requests directly to an outside DNS server such as Google’s 8.8.8.8 for example. You can do this by denying all DNS traffic using DNS’s TCP and UDP port 53.

I hope this has been helpful!

Laz

ahmedamrici · January 14, 2023, 5:57pm

Hello Rene

Could you please advise how we can configure Time based access list on IOS XR router?

lagapidis · January 18, 2023, 6:50am

Hello Ahmedlmad

It seems that the IOS XR series of routers do not support time-based access lists. I was unable to find an official Cisco source that states this, but based on the experiences of other users, it looks like it was phased out:

As you can see from both of the above, you can achieve the same results as a time-based ACL by using an EEM script. More about EEM scripting can be found at the following lesson:

I hope this has been helpful!

Laz