Time Access List
The principal application of an access-list is packet filtering. If one of the conditions matches, it is executed and no other condition is matched further. It is a sequential set of different permit or deny criteria. Additionally, it ends with an implicit denial, therefore the rules ought to have at least one permit condition.
Access-list types include
But in this section, we'll talk about time-based access lists.
Time Access List -
Time-based access-lists are a particular kind of access-list that regulate network access according to time intervals. It is helpful when you wish to impose limitations on outbound or incoming traffic based on a specific time of day or specific days of the week.
For instance, let's say we wish to restrict Internet access during business hours but allowing it over lunch. We can use time-based access-lists to block access to the Internet in situations like these.
In Cisco IOS Software Release 12.0.1.T, time-based ACLs were introduced to enable access control based on the time. Although router clocks can be used, NTP (Network Time Protocol) synchronisation is recommended.
Working of Time Access List -
There is a simple procedure for using Time-based access-list:
There is a simple topology consisting of PC1 (ip address 10.1.1.2/24), router (ip address 10.1.1.1/24 on fa0/0 and 10.1.2.1/24 on fa0/1), PC2 (ip address 10.1.2.2/24) and two switches, Sw1 and Sw2, with all ports in vlan 1. We can see that after configuring these, PC1 can ping PC2.
In this scenario, we will deny PC1 the ability to ping PC2 within the time-range specified, and then apply this time-range to an access-list. Finally, we will apply this to a router interface. Also, we know that it works best with NTP, but in this case, we will use the router's local clock.
We can view a router's clock by issuing the following command:
We can also change the clock time with the following command:
Now, we'll define time-range by first specifying the time we want PC1 to be blocked in order for PC2 to ping PC1.
The name of time flow is time-range (any name can be given). We've given you the time range of 00:15 to 00:20 on July 1.
If a scenario necessitates a periodic time span, it can be represented as:
Periodic is the name of the time-range in this case. The second command indicates that ping from 10.1.1.2 to 10.1.2.2 will be prohibited on all weekdays (Monday through Friday) from 0:15 to 0:20. (after we apply this time-range to an access-list and then applying access-list to an interface as described further).
Defining an extended access-list called Time acl that will allow ICMP traffic to pass through the router during the time-range we specify.
Now, we'll apply this access-list to the router's outbound interface fa0/1 to deny traffic in the time-range (time flow) that we've defined.
We will be unable to ping 10.1.2.2 within the timeframe we have set.