Time-bases ACLs are Access Lists that enable you to restrict or allow resources based on time periods. For example you as a network administrator are asked to restrict web browsing to some particular servers during working hours. To implement an time based access lists there are few simple steps:
- Define a time range when acl action must take place;
- Define an ACL and apply time range to its statements;
- Apply Access List to the interface you need.
In this lab we will do the following:
In the image below you have a Host, a Server, and the Router which stands in the middle of those two. Our task is to deny icmp packets from pass through the router during working hours, between 9 A.M. and 6 P.M and, from Host to Server.
I configured interfaces with IP address that you see in the image. To simulate the Host and the Server I used two routers instead, and a default route to send all traffic to Router. At this moment we can ping Server from Host, see below:
Host
Host#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/36 ms
Host#
Now we’ll begin to configure our time based access list on Router. First will define a time range under global configuration mode:
Router
time-range ICMPDENY
periodic daily 9:00 to 18:00
Next will define access list and time range will be applied to it
Router
ip access-list extended 100
deny icmp host 10.0.10.2 host 10.0.0.2 time-range ICMPDENY
permit ip any any
At the end of access list a permit any statement was added to allow all packets that don’t match the other statements. Next, go under interface fa 0/1 which points to Host and apply the ACL to it to process inbound packets:
Router
interface fastEthernet 0/1
ip access-group 100 in
The last step is to setup time on router. I’ve configured it to be a little before the 9 o’clock to test before the time based acl comes into action.
Router
Router#clock set 8:58:00 14 april 2013
Good, and now the ping form Host to Server.
Host
Host#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/33/64 ms
Host#
Because it is not yet past 9 o’clock our ping to Server is successful. Let’s see time-range and ACL status now.
Router#show time-range
time-range entry: ICMPDENY (inactive)
periodic daily 9:00 to 18:00
used in: IP ACL entry
Router#show ip access-lists 100
Extended IP access list 100
10 deny icmp host 10.0.10.2 host 10.0.0.2 time-range ICMPDENY (inactive)
20 permit ip any any (5 matches)
You see that time-range is not active yet and first statement in ACL also, but second statement has already 5 matches which are our icmp packets from Host to Server. After few minutes another ping will issue.
Router
Router#show clock
09:01:25.927 UTC Sun Apr 14 2013
Host
Host#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
Unsuccessful! And the time-range and access list statement should be active now.
Router
Router#show time-range
time-range entry: ICMPDENY (active)
periodic daily 9:00 to 18:00
used in: IP ACL entry
Router#show ip access-lists 100
Extended IP access list 100
10 deny icmp host 10.0.10.2 host 10.0.0.2 time-range ICMPDENY (active) (5 matches)
20 permit ip any any (5 matches)
As you can see both of them are active, and there are 5 matches in the statement of access list.
Đăng nhận xét