2. ■ Time-bases ACLs are Access Lists that enable you to restrict or
allow resources based on time periods. For example you as a
network administrator are asked to restrict web browsing to some
particular servers during working hours. To implement an time
based access lists there are few simple steps:
■ Define a time range when acl action must take place;
■ Define an ACL and apply time range to its statements;
■ ApplyAccess List to the interface you need.
3. Host, a Server, and the Router which stands in the middle of those two. Our
task is to deny icmp packets from pass through the router during working
hours, between 9 A.M. and 6 P.M and, from Host to Server.
4. Configured interfaces with IP address that you see in the topology. To
simulate the Host and the Server we used two routers instead, and a
default route to send all traffic to Router. At this moment we can ping
Server from Host, see below:
Host
■ Host#ping 10.0.0.2
■ Type escape sequence to abort.
■ Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
■ !!!!!
■ Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/36 ms
■ Host#
5. ■ Now configure our time based access list on Router. First will define a time range
under global configuration mode:
Router
■ time-range ICMPDENY
■ periodic daily 9:00 to 18:00
■ Next will define access list and time range will be applied to it
Router
■ ip access-list extended 100
■ deny icmp host 10.0.10.2 host 10.0.0.2 time-range ICMPDENY
■ permit ip any any
■ At the end of access list a permit any statement was added to allow all packets that
don’t match the other statements.
6. ■ Interface fa 0/1 which points to Host and apply the ACL to it to process inbound
packets:
Router
■ interface fastEthernet 0/1
■ ip access-group 100 in
■ The last step is to setup time on router. We configured it to be a little before the
9 o’clock to test before the time based acl comes into action.
Router
■ Router#clock set 8:58:00 14 april 2013
7. ■ Ping form Host to Server.
Host
■ Host#ping 10.0.0.2
■ Type escape sequence to abort.
■ Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
■ !!!!!
■ Success rate is 100 percent (5/5), round-trip min/avg/max = 16/33/64 ms
■ Host#
■ Because it is not yet past 9 o’clock our ping to Server is successful.
8. ■ Let’s see time-range andACL status now.
■ Router#show time-range
■ time-range entry: ICMPDENY (inactive)
■ periodic daily 9:00 to 18:00
■ used in: IPACL entry
■ Router#show ip access-lists 100
■ Extended IP access list 100
■ 10 deny icmp host 10.0.10.2 host 10.0.0.2 time-range ICMPDENY (inactive)
■ 20 permit ip any any (5 matches)
■ You see that time-range is not active yet and first statement in ACL also, but second
statement has already 5 matches which are our icmp packets from Host to Server.
After few minutes another ping will issue.
9. Router
■ Router#show clock
■ 09:01:25.927 UTC SunApr 14 2013
■ Host
Host#ping 10.0.0.2
■ Type escape sequence to abort.
■ Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
■ UUUUU
■ Success rate is 0 percent (0/5)
■ Unsuccessful!
10. Router
■ Router#show time-range
■ time-range entry: ICMPDENY (active)
■ periodic daily 9:00 to 18:00
■ used in: IPACL entry
■ Router#show ip access-lists 100
■ Extended IP access list 100
■ 10 deny icmp host 10.0.10.2 host 10.0.0.2 time-range ICMPDENY (active) (5 matches)
■ 20 permit ip any any (5 matches)
■ As you can see both of them are active, and there are 5 matches in the statement of
access list.