Time-Based Access Lists

Starting with IOS version 12.0, time-based access lists allow an administrator to base security policies on the time of day and day of the week. This is a powerful tool, which allows the administrator to enable policies such as limiting the download of Web-based music or the playing of games over the internal network to after normal business hours. The end result is that the system users can play music and games when network response times are not an issue. This can be important from a political viewpoint, because a lot of users think that the administrators and security administrators prevent them from having fun, even when it does not affect any company goal. Additional benefits can be realized by using time-based access lists in the areas of dial-on-demand routing, policy-based routing, and queuing. These are all beyond the scope of this book, but are still useful in the daily administration of a network.

To establish time-based access lists, three steps are necessary:

Step 1.
Accurate times must be established on all affected routers. Generally speaking, the easiest way to accomplish this is by using Network Time Protocol (NTP).

Step 2.
Time ranges must be established. This is done by one of two methods. The first method is to use the periodic statement. The syntax for the periodic command is shown below:

								periodic
								day-of-week hh:mm
								to
								day-of-week hh:mm

In the preceding command syntax, a number of substitutions are available for the day-of-week variable. The day-of-week can be any individual day; a selection of days separated by spaces; or the words daily to represent every day, weekday to represent Monday through Friday, or weekend to represent Saturday and Sunday. If the time to be specified traverses specific days, a second day-of-week is used after the to keyword. The hh:mm variable is the time entered in military time. The following two examples show how to use the periodic statement. The first example will set the time of the permissions for the time range named “firsttime” between 08:00 (8 a.m.) and 13:00 (1 p.m.) on Tuesday, Wednesday, and Thursday:

time-range firsttime
periodic Tuesday Wednesday Thursday 08:00 to 13:00

The second example sets the time for the time range named “secondtime” of the permissions to be checked between 22:00 (10 p.m.) on Friday and 23:30 (11:30 p.m.) on Saturday:

time-range secondtime
periodic friday 22:00 to saturday 23:30

Another method for setting a time range is to use the absolute command, which is used to assign specific hours and dates to a named time range. The following example assigns the time of 11:00 on January 1, 2001 through 14:00 on January 2, 2002 to the time range named “absolutetime.”

time-range absolutetime
absolute start 11:00 1 january 2001 end 14:00 2 january 2002

Step 3.
Once a time range is defined, it can be used within an extended access list. The following is an example of using the “firsttime” time range to limit Telnet access. In this example, Telnet is only permitted between 08:00 on Tuesday through 13:00 on Thursday:

access-list 110 permit any any eq telnet time-range firsttime
access-list 110 deny any any

Time-based access lists allow the administrator to allow or deny traffic based on the current time. Another tool available to the administrator is a reflexive access list, which will be discussed next.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.40.63