Recently a customer asked me if he could configure
time based access-lists.
A regular access-list, which is triggered during a
specific time interval regularly, to control access to certain subnets. Something
like a Kron policy tied with ACLs.
Granular description of the customer’s requirement
was to control the access of Wireless users to specific servers. Wireless users (Wireless Vlan) should be
allowed to access some specific Servers (Server Vlan) only during the Production
Hours of the Weekdays.
I was under the impression that, to meet this
requirement, we would need a Policy Control Device like a Cisco ISE or Cisco
Meraki BYOD Solution.
But with some brief research, I was able to
validate a much easier and more powerful alternative. The Time-range feature for ACLs on Cisco IOS.
Time-based
ACLs were introduced in Cisco IOS Software Release 12.0.1.T. While similar to
extended ACLs in function, they allow for access control based on time.
A
Time-range is created that defines specific times of the day and week in order
to implement time-based ACLs.
Just
like a Class Map, a Time-range is
identified by a name and then referenced by a function. Therefore, the time restrictions are imposed
on the function itself.
In
simple terms, think of it as a Kron policy tied with ACLs.
The
time range relies on the router system clock. The router clock can be used, but
the feature works best with Network Time Protocol (NTP) synchronization.
These are time-based ACL commands.
!--- Defines a named time range.
time-range time-range-name
!--- Defines the periodic times.
periodic days-of-the-week hh:mm to [days-of-the-week] hh:mm
!--- Or, defines the absolute times.
absolute [start time date] [end time date]
!--- The time range used in the actual ACL.
ip access-list name|number
time-range time-range-name
Lets
have a look at the example I mentioned above.
Wireless
Vlan 10 : 192.168.10.1/24
Server
Vlan 20: 172.16.20.1/24
Servers
172.16.20.2
172.16.20.10
172.16.20.25
Requirement: Wireless users should be
able to access certain servers, only during Monday to Friday from 9:00 AM to
6:00 PM.
Configuration.
For
sake of simplicity, lets say we have an access-list ready, which defines the servers
that can be accessed.
10 permit ip 192.168.10.0 0.0.0.255
host 172.16.20.2
20 permit ip 192.168.10.0 0.0.0.255
host 172.16.20.10
30 permit ip 192.168.10.0 0.0.0.255
host 172.16.20.25
40 deny ip 192.168.10.0
0.0.0.255 172.16.20.0 0.0.0.255
50 permit ip any any
Now
lets configure a Time-range, such that it can be applied to the above
access-list.
Switch#conf t
Switch(config)#
Switch(config)#time-range Wireless_access
Switch(config-time-range)#periodic Monday Tuesday Wednesday Thursday
Friday 9:00 to 18:00
Switch(config-time-range)#end
Switch#
Switch#show time-range
time-range entry: Wireless_access (inactive)
periodic weekdays 9:00 to
18:00
Switch#
We have to prefix the this Time-Range to our ACL. Post the
configuration the ACL should look like this.
10 permit ip 192.168.10.0 0.0.0.255
host 172.16.20.2 time-range Wireless_access
20 permit ip 192.168.10.0 0.0.0.255
host 172.16.20.10 time-range Wireless_access
30 permit ip 192.168.10.0 0.0.0.255
host 172.16.20.25 time-range Wireless_access
40 deny ip 192.168.10.0
0.0.0.255 172.16.20.0 0.0.0.255
50 permit ip any any
This ACL can now be applied on the Vlan
interface 20, inbound. The ACL
statements with TIme-Range command are active only during the scheduled period,
with reference to the system clock of the device and hence the Wireless Vlan
has access to the Specific Severs only during the scheduled time.
A time
triggered knob on the ACL makes our simple ACLs very powerful ! The example that we discussed is just one such
application. I cannot possibly list all the applications this feature brings.
Try it out today! And do let me know if you find a new
area/case/situation where this feature could be put in use.
