Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure IP Extended ACL with Time Domain

Network Requirements

  • PC1, PC2, and PC3 are connected to IP Network via Device.
  • Configure the IP extended ACL rule, realizing that PC1 can access IP Network within the specified time, PC2 can access the FTP service in IP Network, and PC3 cannot access IP Network.

Network Topology

Networking of configuring IP extended ACL with time domain

Figure 15–2 Networking of configuring IP extended ACL with time domain

Configuration Steps

Step 1: Configure the link type of VLAN and port on Device.

#Create VLAN.

Device#configure terminal
Device(config)#vlan 2
Device(config-vlan2)#exit

#Configure the link type of port gigabitethernet0/1, gigabitethernet0/2 as Access, permitting the services of VLAN2 to pass.

Device(config)#interface gigabitethernet 0/1,0/2
Device(config-if-range)#switchport mode access
Device(config-if-range)#switchport access vlan 2
Device(config-if-range)#exit

Step 2: Configure the corresponding VLAN interface and IP address on Device. (Omitted)

Step 3: Configure the time domain.

#Configure the time domain “time-range-work” on Device and the range is 08:00:00 to 18:00:00 every day.

Device(config)#time-range time-range-work
Device(config-time-range)#periodic daily 08:00:00 to 18:00:00
Device(config-time-range)#exit

#View the current system time on Device.

Device#show clock

UTC FRI APR 05 15:26:31 2013

#View the information of the defined time domain “time-range-work” on Device.

Device#show time-range time-range-work
Timerange name:time-range-work (STATE:active)
 10 periodic daily 08:00:00 to 18:00:00 (active)

Step 4: Configure the IP extended ACL.

#Configure the IP extended ACL with serial number 1001 on Device.

Device(config)#ip access-list extended 1001

#Configure the rule, preventing the network segment 131.44.2.0/24 from accessing IP Network.

Device(config-ext-nacl)#deny ip 131.44.2.0 0.0.0.255 any

#Configure the rule, permitting PC2 to access the FTP service of IP Network.

Device(config-ext-nacl)#permit tcp host 131.44.1.2 any eq ftp
Device(config-ext-nacl)#permit tcp host 131.44.1.2 any eq ftp-data

#Configure the rule, permitting PC1 to access IP Network in the defined time domain “time-range-work” range.

Device(config-ext-nacl)#permit ip host 131.44.1.1 any time-range time-range-work

#Submit the configured rule

Device(config-ext-nacl)#commit
Device(config-ext-nacl)#exit

#View the information of the ACL with serial number 1001 on Device.

Device#show ip access-list 1001
ip access-list extended 1001
 10 deny ip 131.44.2.0 0.0.0.255 any
 20 permit tcp host 131.44.1.2 any eq ftp
 30 permit tcp host 131.44.1.2 any eq ftp-data
 40 permit ip host 131.44.1.1 any time-range time-range-work (active)

Step 5: Configure applying the IP extended ACL.

#Apply the IP extended ACL with serial number 1001 to the egress of port gigabitethernet0/1 on Device.

Device(config)#interface gigabitethernet 0/1
Device(config-if-gigabitethernet0/1)#ip access-group 1001 out
Device(config-if-gigabitethernet0/1)#exit

#View the information of the ACL applied to the port on Device.

Device#show acl-object interface  
-----------Interface-----Bind-----Instance 	 
Interface----------------Direction----AclType---AclName 
gi0/1                    OUT          IP        1001 
-----------Interface-----Bind-----Instance
Interface VlanId---------Direction----AclType---AclName

Step 6: Check the result.

#PC1 can access IP Network from 08:00 to 18:00 of every day; PC2 can access any FTP server in IP Network; PC3 cannot access IP Network.