Time–Based Access Control Lists

As you probably know, access control lists (ACLs in further text) are a means of providing firewall protection. Except the basic division on standard and extended ACLs, we distinguish between time-based, reflexive ACLs, turbo ACLs, and many other.

The focus of this article are time-based ACLs, when should you use them and how to apply them.

Time-Based ACLs

In case you do not want access list entries to take effect as soon as they are applied, you should consider using time-based ACLs.

Time-based ACLs enable you to apply firewall rules based on particular times of the day, the day of the week, or the day of the month. Thus, you can make a granular enforcement of permit or deny conditions you have set to control traffic into and out of your network. In other words, they offer more control over permitting or denying access to resources.

For example, you may wish to allow users to access the Internet during lunch, but not during regular business hours. In that case, time-based ACLs will enable you to make the precise enforcement of this kind of policy. You can also control logging messages in a sense you can define when should ACL entries log traffic and for example send the log to your server.

Configuring Time-Based ACLs

The basic command for configuring time-based ACLs is time-range, which is used to specify the period of time (which can be recurring or a specific instance that happens only once) the ACL statement is valid.

Router(config)# time-range time_range_name

Upon executing this command, you are placed in ACL subconfiguration mode in which you can specify one-time only (absolute) or recurring (periodic) type of time range.

Router(config-time-range)# absolute [start_time start_date] [end_time end_date]

Router(config-time-range)# periodic day_of_the_week hh:mm to [day_of_the_week] hh:mm

• absolute – specifies a single time period for which the time range is valid; you can specify a beginning time, an ending time, or both
• periodic – specifies a recurring time period for which the time range is valid

After creating time ranges, you must activate them by adding the time range parameter to the ACL statement:

Router(config)# access-list {100-199} {permit | deny} protocol source-addr [source-mask]
[operator operand] destination-addr [destination-mask] [operator operand] [established]
[log | log-input] [established] [time-range name_of_time_range]

The access list statement will be processed only when the time of the router falls within the period specified.

Example

Suppose you want to forbid the students to access the Internet during classes, except during lunch – between 12 PM and 1 PM and after school hours – from 3 PM to 7 PM when the school closes.

Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23 and the minutes range from 0 to 59. For example, 3 PM is represented as 15:00.

R1(config)# time-range student-time
R1(config-time-range)# periodic weekdays 12:00 to 13:00
R1(config-time-range)# periodic weekdays 15:00 to 19:00
R1(config-time-range)# exit

R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-range student-time
R1(config)# access-list 100 deny ip any any

R1(config)# interface FastEthernet 0/1

R1(config-if)# ip access-group 100 in
R1(config-if)# exit

ACL 100 permits students’ traffic to the Internet during lunch and after school hours between 3 PM and 7 PM.

Time-based ACLs allow for access control based on time and date, and therefore provide the granular enforcement of security policy. They get the time from the router’s system clock, so you should configure Network Time Protocol (NTP) to ensure the time is accurate. Namely, Cisco router should be configured to synchronize with the NTP server, which provides the router with the correct time, thus ensuring the time-based ACLs you configured apply in proper time.

To conclude, consider using time-based ACLs if you need the robustness and flexibility to define access control policies based on time and date, and bear in mind the time in your network is accurate.

Till next time!