Network Requirements
- PC1, PC2, and PC3 are connected to IP Network via Device.
- Configure the Hybrid extended ACL rule, realizing that PC1 can access IP Network within the specified time, PC2 and PC3 cannot access IP Network.
Network Topology
Figure 15-5 Networking of configuring Hybrid extended ACL
Configuration Steps
Step 1: Configure the link type of VLAN and port on Device.
#Create VLAN.
|
Device#configure terminal
Device(config)#vlan 2
Device(config-vlan2)#exit
|
#Configure the link type of port gigabitethernet0/1 as Access, permitting the services of VLAN2 to pass.
|
Device(config)#interface gigabitethernet 0/1
Device(config-if-gigabitethernet0/1)#switchport mode access
Device(config-if-gigabitethernet0/1)#switchport access vlan 2
Device(config-if-gigabitethernet0/1)#exit
|
Step 2: Configure the corresponding VLAN interface and IP address on Device. (Omitted)
Step 3: Configure the time domain.
#Configure the time domain “time-range-work” on Device and the range is 08:00 to 18:00 every day.
|
Device(config)#time-range time-range-work
Device(config-time-range)#periodic daily 08:00 to 18:00
Device(config-time-range)#exit
|
#View the current system time on Device.
Device#show clock
UTC FRI APR 05 15:26:31 2013
#View the information of the defined time domain “time-range-work” on Device.
Device#show time-range time-range-work
Timerange name:time-range-work (STATE:active)
10 periodic daily 08:00 to 18:00 (active)
Step 4: Configure the Hybrid extended ACL list.
#Configure the Hybrid extended ACL with serial number 5001 on Device.
|
Device(config)#hybrid access-list extended 5001
|
#Configure the rule, permitting PC1 to access IP Network in the defined time domain “time-range-work” range.
|
Device(config-hybrid-nacl)#permit ip any host 0001.0001.0001 time-range time-range-work
|
#Configure the rule, preventing the segment 131.44.0.0/16 from accessing IP Network.
|
Device(config-hybrid-nacl)#deny ip 131.44.0.0 0.0.255.255 any
|
#Configure the rule, permitting all packets from IP Network to pass Device.
|
Device(config-hybrid-nacl)#permit ip any any
|
#Submit the configured rule
|
Device(config-hybrid-nacl)#commit
Device(config-hybrid-nacl)#exit
|
#View the information of the ACL with serial number 5001 on Device.
Device#show hybrid access-list 5001
hybrid access-list extended 5001
10 permit ip any host 0001.0001.0001 time-range time-range-work (active)
20 deny ip 131.44.0.0 0.0.255.255 any
30 permit ip any any
Step 5: Configure applying Hybrid extended ACL.
#Apply the Hybrid extended ACL with serial number 5001 to the ingress globally.
|
Device(config)#global hybrid access-group 5001 in
|
#View the information of the ACL applied globally on Device.
Device#show acl-object global
-------Global------Bind------Instance Global
----Direction----AclType-----AclName
global IN HYBRID 5001
Step 6: Check the result.
#PC1 can access IP Network from 08:00 to 18:00 every day; PC2 and PC3 cannot access IP Network.
Switch
.png){kind=icon}
.png){kind=logo}
