We are going to Configure a router (R5’s) FastEthernet0/0 to block all outbound FTP traffic from 9am to 5pm Monday through Friday. All other traffic should be allowed.
In this step we want to block all outbound FTP access on R5’s FastEthernet0/0 interface between 9a.m. and 5p.m. every weekday. We will first create our time range, and then apply the time range to an extended access list. Finally we will apply the access-list to R5’s FastEthernet0/0 interface outbound.
Step By Step Solution
First we need to create our time range. In this case we are using periodic since we want this to take effect every weekday, not just one time.
R5(config-time-range)# periodic weekdays 9:00 to 17:00
The name BLOCKFTP is arbitrary, you can name the time range anything you wish. The one important thing to remember is that the time is entered in military fashion, based on a 24 hours clock.
Next we will create the extended access-list to block the traffic during the time range.
R5(config)#access-list 100 deny tcp any any eq ftp time-range BLOCKFTP
R5(config)#access-list 100 deny tcp any any eq ftp-data time-range BLOCKFTP
R5(config)#access-list 100 permit ip any any
Since we are just told to block all FTP traffic, we are going to block any source, trying to get to any FTP destination, for both FTP and FTP-DATA during the specified time range. The time range entry on the access-list will only be active during the specified times. However, the implicit deny at the end of the access-list still exists so we must enter the permit ip any any to allow all other traffic through.
Finally we must apply the access-list on R5’s FastEthernet0/0 interface outbound.
R5(config-if)# ip access-group 100 out
The Time Range Access-list shows that it is ‘active’. Looking at our clock we can see that it is 15:16 and it is a Thursday, our Time Range should be active, and is active at this time.