Time-Based Access List

Consider a simple network as shown in the following topology:

post_2

Time-based ACLs allow network administrators for controlling access based on time.

Before starting, it is important to know that the considered time is the device system clock. Therefore, the device clock should be correctly configured or synchronized with an NTP server.

Below is the details of configuring the clock:

It can be set manually using:

R1# clock set 10:35:00 July 05 2014

It can be synchronized with NTP server using:

R1# ntp server 41.222.88.32

The second step is to configure a time range using the following commands:

R1(config)# time-range int-range
R1(config-time-range)# periodic daily 08:00 to 14:00
R1(config-time-range)# exit

The last step is to configure & to apply the ACL using the following commands:

R1(config)# ip access-list extended 100
R1(config-ext-nacl)# permit ip host 192.168.1.2 any
R1(config-ext-nacl)# deny tcp host 192.168.1.3 any eq 80 time-range int-range
R1(config-ext-nacl)# deny tcp host 192.168.1.3 any eq 443 time-range int-range
R1(config-ext-nacl)# permit ip host 192.168.1.3 any
R1(config)# interface FastEthernet 0/0
R1(config-if)# ip access-group 100 in
R1(config-if)# end

In this scenario, the Host-A will have a full access throughout the day, and the Host-B will have access throughout the day using all protocols (such as SMTP, FTP, SSH, etc.) except for HTTP & HTTPS (which are allowed either before 08:00 or after 14:00).

Finally, it is important to note that Time-Based ACLs support several other settings.

For more information

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html


no comment


    Add Your Comment

    two × five =