Courseiva
ACLCCNA 200-301

Time-Based ACL Not Activating at Correct Time

Presenting Symptom

Users report that the time-based ACL intended to block web access during business hours is not activating at the scheduled time, allowing access outside of the configured window.

Network Context

A small branch office with a Cisco 4321 ISR running IOS XE 16.9 connects to the internet via a single WAN link. The router uses a time-based ACL applied to the WAN interface to restrict HTTP/HTTPS traffic to non-business hours (6 PM to 8 AM weekdays and all day weekends). The router clock is synchronized via NTP to a reliable server.

Diagnostic Steps

1

Verify the router's current time and timezone configuration

show clock detail
17:30:45.123 UTC Mon Mar 4 2024
Time source is NTP

If the time is incorrect or the timezone is not set to the local timezone (e.g., EST), the ACL may activate at the wrong time. Ensure the time matches the expected local time and the timezone is configured correctly.

2

Check the time-range configuration

show time-range
time-range entry: BLOCK_WEB (inactive)
   periodic weekdays 18:00 to 08:00
   periodic weekend 00:00 to 23:59

If the time-range shows 'inactive' when it should be active (e.g., during business hours), the ACL will not block traffic. Verify the time-range name and its periodic statements match the intended schedule.

3

Inspect the ACL configuration and its application

show access-list 101
Extended IP access list 101
   10 deny tcp any any eq 80 time-range BLOCK_WEB (inactive)
   20 deny tcp any any eq 443 time-range BLOCK_WEB (inactive)
   30 permit ip any any

If the ACL entries show 'inactive', the time-range is not currently active. If they show 'active' at the wrong time, the time-range may be misconfigured. Also check that the ACL is applied to the correct interface and direction.

4

Verify the ACL is applied to the correct interface and direction

show running-config interface GigabitEthernet0/0/0
interface GigabitEthernet0/0/0
 ip address 192.168.1.1 255.255.255.0
 ip access-group 101 out

Ensure the ACL is applied to the WAN interface (outbound) to block traffic leaving to the internet. If applied inbound, it would not affect outbound web traffic.

Root Cause

The time-range 'BLOCK_WEB' is configured with the keyword 'periodic' but the times are reversed: it specifies 'weekdays 18:00 to 08:00', which means it is active from 6 PM to 8 AM, but the intent was to block during business hours (8 AM to 6 PM). The ACL entries are correctly referencing the time-range, but the time-range itself defines the opposite of the intended blocking period.

Resolution

Reconfigure the time-range to match the intended blocking schedule (block during business hours). On the router: configure terminal time-range BLOCK_WEB no periodic weekdays 18:00 to 08:00 periodic weekdays 08:00 to 18:00 end This changes the time-range to be active during business hours (8 AM to 6 PM weekdays), so the deny statements in the ACL will block web traffic during that period.

Verification

Run 'show time-range' to confirm the time-range is now active during business hours. Also run 'show access-list 101' to see the ACL entries show 'active' when within the configured time. For example: show time-range time-range entry: BLOCK_WEB (active) periodic weekdays 08:00 to 18:00 show access-list 101 Extended IP access list 101 10 deny tcp any any eq 80 time-range BLOCK_WEB (active) 20 deny tcp any any eq 443 time-range BLOCK_WEB (active) 30 permit ip any any

Prevention

1. Always double-check the time-range logic: the ACL deny entries are active when the time-range is active, so define the time-range to cover the period when you want to deny traffic. 2. Use descriptive names for time-ranges (e.g., 'BLOCK_WEB_HOURS') and document the intended schedule. 3. Test the ACL by temporarily adjusting the router clock (if safe) or using 'clock set' to verify behavior before deploying.

CCNA Exam Relevance

On the CCNA 200-301 exam, time-based ACLs may appear in troubleshooting scenarios where the ACL does not work as expected. The exam tests understanding of how time-ranges interact with ACL entries, including the concept that the ACL deny/permit action is applied only when the time-range is active. Candidates must be able to interpret 'show time-range' and 'show access-list' output to identify misconfigurations.

Exam Tips

1.

Remember that the time-range defines when the ACL entry is active; if you want to block during business hours, the time-range must be active during business hours.

2.

The 'show time-range' command shows whether the time-range is active or inactive; this is a key diagnostic step.

3.

Be careful with the order of times in the 'periodic' command: the start time must be before the end time; if you specify 18:00 to 08:00, it spans midnight and may not work as expected unless you use two separate statements.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions