Timed access-lists

Timed access-lists can be handy for all sorts of things. Let’s say you have a few contractor PC’s in your office that are only allowed internet access from 17:00 to 19:00 each day. The rest of the day those PC’s are allowed to speak internally in the lan only.

I’ve got a very simple diagram here. PC’s 1-3 are allowed full access all the time. PC’s 4 and 5 are our contractor PC’s. Let’s say that DHCP is being used, but we are matching IP’s to MAC addresses (We’ll go over this in a new post sometime) – This is the topology (Click for larger image):

Timed access lists - small

On the router I’m going to create 2 access-lists. The first will be a timed access list that will prevent any traffic from 192.168.1.4 and .5 from leaving the Fa0/0 interface. The second access-list will only allow traffic with a source address of 192.168.1.1-5 to pass through interface Fa0/1. This will prevent the contractors changing their IP to 192.168.1.10 and so on to gain internet access. It might be better to just not give them admin rights to their PC’s, but sometimes they may be using their own computers.

First up is the time range in which I want the block to be active:

time-range CONTRACTOR_NO_INTERNET
 periodic daily 0:00 to 16:59
 periodic daily 19:00 to 23:59

Next I have to create an access-list, and I need to ensure the access-list is only active during my time range:

ip access-list extended CONTRACTORS
 deny   ip host 192.168.1.4 any time-range CONTRACTOR_NO_INTERNET
 deny   ip host 192.168.1.5 any time-range CONTRACTOR_NO_INTERNET
 permit ip any any

Always remember that ACL’s have an implicit deny at the end, so in this case I need to ensure I have an implicit permit any at the end. Also note that although I’ve blocked those hosts to any destination, they’ll still be able to traverse the local lan as it’ll only go through the switch. If you had a SOHO router with a switch-plane built into the router, you may need to create another entry allowing all local subnet traffic at the top of this access-list.

Now we need to apply this access-list to the Fa0/0 interface:

interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip access-group CONTRACTORS out
 duplex auto
 speed auto
end

The last part I wanted to do was to ensure that only the IP’s in use on the network right now are allowed. This prevents the contractors from changing their IP’s to get around our access-list.

ACL:

access-list 1 permit 192.168.1.1
access-list 1 permit 192.168.1.3
access-list 1 permit 192.168.1.2
access-list 1 permit 192.168.1.5
access-list 1 permit 192.168.1.4
access-list 1 deny   any

On the interface:

interface FastEthernet0/1
 ip address 192.168.1.254 255.255.255.0
 ip access-group 1 in
 duplex auto
 speed auto
end

Very handy!

Edit: Just be sure that you’ve actually correctly set the clock on the router beforehand!

© 2009-2020 Darren O'Connor All Rights Reserved -- Copyright notice by Blog Copyright