I have a requirement to use time-based ACL to impose a deny any rule during an exam period.
I've noticed that if a student has been connected to the network before 15:00, the deny statement will not have any effect when the time range ACL is activated.
Any new connections after 15:00 will be subjected to the deny statement.
Is this the right behavior?
-----------------------
user-role OPEN
access-list session ACL-OPEN
time-range UT-timebase periodic
weekday 15:00 to 18:00
ip access-list session ACL-OPEN
any host 10.1.1.1 any permit <-------- Permit statement to exam server
any any any deny time-range UT-timebase <-------- Time-based deny statement to block internet traffic
any any any deny time-range UT-timebase <-------- Permit statement to internet