Time-Based Access List
Consider a simple network as shown in the following topology:
Time-based ACLs allow network administrators for controlling access based on time.
Before starting, it is important to know that the considered time is the device system clock. Therefore, the device clock should be correctly configured or synchronized with an NTP server.
Below is the details of configuring the clock:
It can be set manually using:
R1# clock set 10:35:00 July 05 2014
It can be synchronized with NTP server using:
R1# ntp server 220.127.116.11
The second step is to configure a time range using the following commands:
R1(config)# time-range int-range R1(config-time-range)# periodic daily 08:00 to 14:00 R1(config-time-range)# exit
The last step is to configure & to apply the ACL using the following commands:
R1(config)# ip access-list extended 100 R1(config-ext-nacl)# permit ip host 192.168.1.2 any R1(config-ext-nacl)# deny tcp host 192.168.1.3 any eq 80 time-range int-range R1(config-ext-nacl)# deny tcp host 192.168.1.3 any eq 443 time-range int-range R1(config-ext-nacl)# permit ip host 192.168.1.3 any R1(config)# interface FastEthernet 0/0 R1(config-if)# ip access-group 100 in R1(config-if)# end
In this scenario, the Host-A will have a full access throughout the day, and the Host-B will have access throughout the day using all protocols (such as SMTP, FTP, SSH, etc.) except for HTTP & HTTPS (which are allowed either before 08:00 or after 14:00).
Finally, it is important to note that Time-Based ACLs support several other settings.
For more information