Time-Based ACLs

Written on by admin on. Posted in ACLs

Time-bases ACLs are Access Lists that enable you to restrict or allow resources based on time periods. For example you as a network administrator are asked to restrict web browsing to some particular servers during working hours. To implement  an time based access lists there are few simple steps:

 
  • Define a time range when acl action must take place;
  • Define an ACL and apply time range to its statements;
  • Apply Access List to the interface you need.

In this lab we will do the following:

In the image below you have a Host, a Server, and the Router which stands in the middle of those two. Our task is to deny icmp packets to pass through the router during working hours, between 9 A.M. and 6 P.M and, from Host to Server.
Time based ACL

I configured interfaces with IP address that you see in the image. To simulate the Host and the Server I used two routers instead, and   a default  route to send all traffic to Router. At this moment we can ping Server from Host, see below:

 Host

Host#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/36 ms
Host#

Now we’ll begin to configure our time based access list on Router. First will define a time range under global configuration mode:

Router

time-range ICMPDENY
 periodic daily 9:00 to 18:00

Next will define access list and time range will be applied to it

Router

ip access-list extended 100 
 deny icmp host 10.0.10.2 host 10.0.0.2 time-range ICMPDENY
 permit ip any any

At the end of access list  a permit any statement was added to allow all packets that don’t match the other statements. Next, go under interface fa 0/1 which points to Host and apply the ACL to it to process inbound packets:

Router

interface fastEthernet 0/1
ip access-group 100 in

The last step is to setup time on router. I’ve configured it to be a little before the 9 o’clock to test before the time based acl comes into action.

Router

Router#clock set 8:58:00 14 april 2013

Good, and now the ping form Host to Server.

Host

Host#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/33/64 ms
Host#

Because it is not yet past 9 o’clock our ping to Server is successful. Let’s see time-range and ACL status now.

Router#show time-range 
time-range entry: ICMPDENY (inactive)
   periodic daily 9:00 to 18:00
   used in: IP ACL entry

Router#show ip access-lists 100 
Extended IP access list 100
    10 deny icmp host 10.0.10.2 host 10.0.0.2 time-range ICMPDENY (inactive)
    20 permit ip any any (5 matches)

You see that time-range is not active yet and first statement in ACL also, but second statement has already 5 matches which are our icmp packets from Host to Server. After few minutes another ping will issue.

Router

Router#show clock 
09:01:25.927 UTC Sun Apr 14 2013

Host

Host#ping 10.0.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

Unsuccessful! And the time-range and access list statement should be active now.

Router

Router#show time-range 
time-range entry: ICMPDENY (active)
   periodic daily 9:00 to 18:00
   used in: IP ACL entry

Router#show ip access-lists 100
Extended IP access list 100
    10 deny icmp host 10.0.10.2 host 10.0.0.2 time-range ICMPDENY (active) (5 matches)
    20 permit ip any any (5 matches)

As you can see both of them are active, and there are 5 matches in the statement of access list.

Configuring time-based acl is a quite easy task, it works best when all devices are synchronized from an ntp server. Thank you for reading!

Download "Time-Based ACLs" GNS3 Lab


Comments (2)

  • Umer

    |

    Great Post . Thanks for Sharing. :)

    Reply

  • Vincent

    |

    wow, so straightforward and very simple to comprehend. thanks for a work so massive. this has demystified the doubts i used to hold on this time-range things.

    Reply

Leave a comment


4 + six =