Time-Based Access Lists: Control Network Access Based on Time

Learn how to implement time-based access lists (ACLs) to control network access based on specific time intervals. This guide explains how to configure time-based ACLs for granular control over network traffic and resource access.

Time-Based Access Lists: Controlling Network Access Based on Time

Introduction to Time-Based Access Lists

Time-based access lists (ACLs) are a type of access control list that allows administrators to restrict network access based on specific time intervals. This provides granular control over network traffic, enabling organizations to manage access to resources more effectively. For example, you might want to block internet access during work hours but allow it during lunch breaks.

How Time-Based Access Lists Work

Implementing time-based ACLs typically involves these steps:

  1. Define a Time Range: Create a named time range specifying the periods when access restrictions should apply. You can define time ranges using either the absolute or periodic keyword:
    • absolute: Specifies a specific date and time (e.g., block access from 10 AM to 11 AM on July 4th).
    • periodic: Defines a recurring time interval (e.g., block access every weekday from 6 PM to 8 PM).
  2. Define an Access List: Create an access list (either standard or extended) that includes the time range. This access list defines the traffic that will be affected by the time-based restrictions.
  3. Apply the Access List: Apply the access list to a specific interface or line (e.g., a router interface).

Configuration Example

Let's consider a simple network with:

  • PC1 (IP: 10.1.1.2/24)
  • Router (10.1.1.1/24 on fa0/0, 10.1.2.1/24 on fa0/1)
  • PC2 (IP: 10.1.2.2/24)
  • Two switches (Sw1 and Sw2) in VLAN 1.

We'll configure a time-based ACL to block PC1 from pinging PC2 during a specific time.

1. Router Time Configuration:

First, verify (and optionally set) the router's clock using the show clock and clock set commands.

2. Defining the Time Range (absolute):

time-range time_flow
  absolute start 00:15 1 July 2018 end 00:20 1 July 2018

This creates a time range named "time_flow" that starts at 00:15 and ends at 00:20 on July 1, 2018.

3. Defining the Time Range (periodic):

time-range periodic_range
  periodic weekdays 0:15 to 0:20

This creates a time range named "periodic_range" that applies from 00:15 to 00:20 every weekday.

3. Defining the Access List:

ip access-list extended Time_acl
  deny icmp host 10.1.1.2 host 10.1.2.2 time-range time_flow

This extended ACL denies ICMP (ping) traffic from PC1 to PC2 during the "time_flow" period.

4. Applying the Access List:

interface fa0/1
  ip access-group Time_acl out

This applies the ACL to the outbound interface (fa0/1) of the router.

Benefits of Time-Based Access Lists

  • Easy Implementation: Simple to configure and manage.
  • Granular Control: Allows for precise control of network access based on time.

Conclusion

Time-based access lists provide a powerful way to control network access based on time of day or day of the week. They are relatively easy to implement and can significantly enhance network security and management.