Time based Access-List
Prerequisite – Access-lists (ACL)
An access-list is used mainly for packet filtering. It is a sequential series of various permit or deny conditions in which if one of the condition matches, it is executed and no other condition is matched further. Also, it contains an implicit deny at the end therefore the rules should have atleast one permit condition.
There are many types of Access-list like:
- Standard Access-list,
- Extended access-list,
- Reflexive access-list,
- Named Access-list,
- Time based Access-list etc.
But here, we will discuss about time based access-list.
Time-based access-list –
Time-based access-list are type of access-list which allow network access on the basis of time period.It is useful when you want to place restrictions on outbound or inbound traffic on the basis of particular time of the day or particular days of a week.
For example, if we want to deny employees to access Internet on working hours and allow access in lunch time . In these type of scenarios, we can implement Time-based access-list denying access to the Internet.
Time-based ACLs were introduced in Cisco IOS Software Release 12.0.1.T. to allow access control based on the time. It best works with NTP (Network Time Protocol) synchronisation but can work with router clock.
To apply Time-based access-list, there ia simple procedure:
- Define time-range – first, we have to define a time-range in which can be defined with the help of keyword absolute or periodic.
absolute: defines an absolute time. For example, if we want to block ICMP traffic to a subnet from Tuesday to Friday (absolute time), then we will use the absolute keyword.
periodic: defines a periodic time. For example, if we want to block ICMP on particular subnet on every weekdays (Monday to Friday) then we can use the periodic keyword.
- Define an access-list – In the next step, an access-list will be defined in which we will apply our time-range.
- Apply access-list to an interface – Now, the access-list will be applied to an interface or line-vty according to our need.
There is a simple topology in which there is PC1( ip address- 10.1.1.2/24), router(ip address-10.1.1.1/24 on fa0/0 and 10.1.2.1/24 on fa0/1), PC2(ip address-10.1.2.2/24) and two switches namely Sw1 and Sw2 having all ports in vlan 1). After configuring these, we can see that the PC1 is able to ping PC2.
In this scenario, we will deny PC1 to ping PC2 in the time-range defined and then we will apply this time-range to an access-list. Finally, we will apply this to an interface of the router. Also, we know that it best works with NTP but here we will use router’s local clock.
We can see a router’s clock by command:
Also, we can change the clock time by command:
router#clock set 0:10:0 1 July 2018
Now, we will define time-range first specifying the time we want to block PC1 to ping PC2.
router(config)#time-range time_flow router(config)#absolute start 00:15 1 July 2018 end 00:20 1 July 2018
time_flow is the name of time-range (any name can be given). We have provided the time range from 00:15 to 00:20 on 1 July.
Here, use of absolute keyword has been shown.
If some scenario requires periodic time-range then it can be shown as:
router(config)#time-range Periodic router(config)#periodic weekdays 0:15 to 0:20
Here, Periodic is the name of time-range. Second command implies that on every week days (Monday to Friday) from 0:15 to 0:20, ping will not be allowed from 10.1.1.2 to 10.1.2.2 (after we apply this time-range to an access-list and then applying access-list to an interface as described further).
Defining an extended access-list named as Time_acl in which we will allow ICMP traffic to go through the router in the time-range defined by us.
router(config)#ip access-list extended Time_acl router(config-ext-nacl)#deny icmp host 10.1.1.1 host 10.1.2.2 time-range time_flow
Now, we will apply this access-list to an interface fa0/1 of the router in the outbound direction to deny the traffic in the time-range (time_flow) defined by us.
router(config)#int fa0/1 router(config-if)#ip access-group Time_acl out
By applying this, we will not able to ping 10.1.2.2 in the time-range defined by us.
- Easy to implement
- It provides greater control over the traffic to an administrator as the traffic can be denied or permitted on the basis of time.