How to secure our network using Time based access lists

We’ve learned from theory that we can filter the traffic using multiple criteria and one of these criteria is Time

What are we meaning by time ? – a defined range of days and hours in which an user has access to network shared resources

That being said let’s take a look at below scenario

You are being employed at a medium size company ,working in IT Department and a new colleague is to be hired having as main task testing of new technologies and devices.

Our task as network engineers is to create a network restriction that would allow the new colleague to access the required resources weekly from Monday to Friday and only from 9 am until 6 pm .

Let’s assume that for this exercise we’ll have the below shown topology

How do we accomplish our task ?

Step1

First we check if the IP address allocated to the user has access to the network resources before adding any restriction

We’ll need also to know to which subnet belongs the IP address allocated to user

Step2

Now that we’ve collected the required info related to user we’ll pass to the next step which is access list defining and applying , because once an access list has been defined it has to be applied in order to be in effect .

In our exercise the access list will be defined on R1 router and applied on interface toward the SW2 switch from which the user is connected

To define and apply a Time based Access list we’ll proceed as shown below:

Step2.1 Time Range setup

First of all we need to enter in the global configuration mode after we login on R1 router

Then we define a Time range that will be used when we’ll define our access list

Good Job! , Now we’ll exit from time -range configuration

Step2.2 Access list setup

Now that we’ve configured a time range let’s see how we can use it because it has an important purpose in our exercise

Let’s proceed with access list configuration and a little bit later we’ll see how to apply this access list in order to have any effect

From global configuration mode we’ll configure our access list as shown below

ip access-list extended TIME_BASED permit tcp 192.168.2.50 255.255.255.255 any eq 22 time-range WeekDays

We’ve selected a /32 mask because this access list is intended to restrict access only for a single user

Now let’s apply this access list on an interface toward that user in order to enable it

Now we’ll visualize the current time from R1 router

R1#show clock

10:09:53.795 UTC Mon Mar 8 2021

R1#

At this time this user should have access to network shared resources

We should check that because we are in the allowed time range

Now we’ll do a slight change on R1 router by changing the time and date

After this minor change done on R1 router the user should not be able to access the network shared resources anymore

And that’s the way we can restrict users from accessing network resources , by only using time .

I hope that this document have been informative and useful for you 😊