Time-based ACLs are types of control lists that allow for network access based on time or day. Time base access-list works with extended name acccess lsit. Time-based ACLs is implemented by creating a time range that defines specific times of the day and week.
This time range created can be name as to its function. The time range is then call in the extended named access list creating a time-base access list. Then the ACL can be applied just like any other ACL. Time-based ACL give Network Admin a lot of flexibility in what they can deny or permit based on any time of the day!!
e.g Imagine you have this requirement in your organisation that allows users to have access to a web server with an IP 1.1.1.1 at R1 during work hours, and your user are coming from R2 and R3. Let us simulate R2 and R3 loopbacks as the users. User should not have access to this web server outside working hours but all other traffic is allowed.
===========================================================
R1
==
conf t
int fast0/0
ip add 192.168.12.1 255.255.255.0
ip ospf 1 area 0
no shut
exit
int loopback0
ip add 1.1.1.1 255.255.255.255
ip ospf 1 area 0
exit
===========================================================
R2
==
conf t
int fast0/0
ip add 192.168.12.2 255.255.255.0
ip ospf 1 area 0
no shut
exit
int fast0/1
ip add 192.168.23.2 255.255.255.0
ip ospf 1 area 0
no shut
exit
int loopback0
ip add 2.2.2.2 255.255.255.255
ip ospf 1 area 0
exit
============================================================
R3
==
conf t
int fast0/0
ip add 192.168.23.3 255.255.255.0
ip ospf 1 area 0
no shut
exit
int loopback0
ip add 3.3.3.3 255.255.255.255
ip ospf 1 area 0
exit
In order to simulate R1 as a web server we configure R1 as follows:
R1(config)#ip http server
Let us verify that R1 is accepting web request.
We first create our time range.R2(config)#time-range WORK_HOURS
R2(config-time-range)#periodic weekdays 09:00 to 16:59
R2(config-time-range)#exi
We now create our named extended access list and tied it with the time range.
R2(config)#ip access-list extended DENY_WEB
R2(config-ext-nacl)#permit tcp any host 1.1.1.1 eq www time-range WORK_HOURS
R2(config-ext-nacl)#deny tcp any host 1.1.1.1 eq www
R2(config-ext-nacl)#permit ip any any
R2(config-ext-nacl)#exi
We now apply the access list at the interface
R2(config)#int fast0/0
R2(config-if)#ip access-group DENY_WEB in
R2(config-if)#
We set the clock outside the time range and try to access the web server and see.
It is seen that when the time at R2 is out of the time range the user at R1 cannot access the webserver
Let us set the clock at R2 within the time range and see what happen.
From this we can see that when the time range is active then we can access the webserver!!
0 comments:
Post a Comment