Time Access List

The principal application of an access-list is packet filtering. If one of the conditions matches, it is executed and no other condition is matched further. It is a sequential set of different permit or deny criteria. Additionally, it ends with an implicit denial, therefore the rules ought to have at least one permit condition.

Access-list types include

• Standard Access List
• Time-based Access list,
• Named Access list,
• Extended Access list, and
• Reflexive Access list.

But in this section, we'll talk about time-based access lists.

Time Access List -

Time-based access-lists are a particular kind of access-list that regulate network access according to time intervals. It is helpful when you wish to impose limitations on outbound or incoming traffic based on a specific time of day or specific days of the week.

For instance, let's say we wish to restrict Internet access during business hours but allowing it over lunch. We can use time-based access-lists to block access to the Internet in situations like these.

In Cisco IOS Software Release 12.0.1.T, time-based ACLs were introduced to enable access control based on the time. Although router clocks can be used, NTP (Network Time Protocol) synchronisation is recommended.

Working of Time Access List -

There is a simple procedure for using Time-based access-list:

• Define time-range - First, we must define a time-range, which can be specified using the keywords absolute or periodic.
  • absolute: specifies a specific time. For instance, if we want to restrict ICMP traffic to a subnet from Tuesday to Friday (absolute time), we will use the absolute keyword.
  • periodic: specifies a time interval. For instance, if we want to block ICMP on a specific subnet every weekday (Monday through Friday), we can use the periodic keyword.
• Define an access-list - In the next step, we will define an access-list to which we will apply our time-range.
• Apply an access-list to an interface - The access-list will now be applied to an interface or line-vty based on our requirements.

Configuration -

There is a simple topology consisting of PC1 (ip address 10.1.1.2/24), router (ip address 10.1.1.1/24 on fa0/0 and 10.1.2.1/24 on fa0/1), PC2 (ip address 10.1.2.2/24) and two switches, Sw1 and Sw2, with all ports in vlan 1. We can see that after configuring these, PC1 can ping PC2.

In this scenario, we will deny PC1 the ability to ping PC2 within the time-range specified, and then apply this time-range to an access-list. Finally, we will apply this to a router interface. Also, we know that it works best with NTP, but in this case, we will use the router's local clock.

We can view a router's clock by issuing the following command:

We can also change the clock time with the following command:

Now, we'll define time-range by first specifying the time we want PC1 to be blocked in order for PC2 to ping PC1.

The name of time flow is time-range (any name can be given). We've given you the time range of 00:15 to 00:20 on July 1.
The use of an absolute keyword is demonstrated here.

If a scenario necessitates a periodic time span, it can be represented as:

Periodic is the name of the time-range in this case. The second command indicates that ping from 10.1.1.2 to 10.1.2.2 will be prohibited on all weekdays (Monday through Friday) from 0:15 to 0:20. (after we apply this time-range to an access-list and then applying access-list to an interface as described further).

Defining an extended access-list called Time acl that will allow ICMP traffic to pass through the router during the time-range we specify.

Now, we'll apply this access-list to the router's outbound interface fa0/1 to deny traffic in the time-range (time flow) that we've defined.

We will be unable to ping 10.1.2.2 within the timeframe we have set.

Benefits -

• Simple to implement
• It gives an administrator more control over traffic because it can be denied or permitted based on time.