Configure IP Extended ACL with Time Domain
Network Requirements
- PC1, PC2, and PC3 are connected to IP Network via Device.
- Configure the IP extended ACL rule, realizing that PC1 can access IP Network within the specified time, PC2 can access the FTP service in IP Network, and PC3 cannot access IP Network.
Network Topology
Figure 15–2 Networking of configuring IP extended ACL with time domain
Configuration Steps
Step 1: Configure the link type of VLAN and port on Device.
#Create VLAN.
|
Device#configure terminal
Device(config)#vlan 2
Device(config-vlan2)#exit
|
#Configure the link type of port gigabitethernet0/1, gigabitethernet0/2 as Access, permitting the services of VLAN2 to pass.
|
Device(config)#interface gigabitethernet 0/1,0/2
Device(config-if-range)#switchport mode access
Device(config-if-range)#switchport access vlan 2
Device(config-if-range)#exit
|
Step 2: Configure the corresponding VLAN interface and IP address on Device. (Omitted)
Step 3: Configure the time domain.
#Configure the time domain “time-range-work” on Device and the range is 08:00:00 to 18:00:00 every day.
|
Device(config)#time-range time-range-work
Device(config-time-range)#periodic daily 08:00:00 to 18:00:00
Device(config-time-range)#exit
|
#View the current system time on Device.
|
Device#show clock
UTC FRI APR 05 15:26:31 2013
|
#View the information of the defined time domain “time-range-work” on Device.
|
Device#show time-range time-range-work
Timerange name:time-range-work (STATE:active)
10 periodic daily 08:00:00 to 18:00:00 (active)
|
Step 4: Configure the IP extended ACL.
#Configure the IP extended ACL with serial number 1001 on Device.
|
Device(config)#ip access-list extended 1001
|
#Configure the rule, preventing the network segment 131.44.2.0/24 from accessing IP Network.
|
Device(config-ext-nacl)#deny ip 131.44.2.0 0.0.0.255 any
|
#Configure the rule, permitting PC2 to access the FTP service of IP Network.
|
Device(config-ext-nacl)#permit tcp host 131.44.1.2 any eq ftp
Device(config-ext-nacl)#permit tcp host 131.44.1.2 any eq ftp-data
|
#Configure the rule, permitting PC1 to access IP Network in the defined time domain “time-range-work” range.
|
Device(config-ext-nacl)#permit ip host 131.44.1.1 any time-range time-range-work
|
#Submit the configured rule
|
Device(config-ext-nacl)#commit
Device(config-ext-nacl)#exit
|
#View the information of the ACL with serial number 1001 on Device.
|
Device#show ip access-list 1001
ip access-list extended 1001
10 deny ip 131.44.2.0 0.0.0.255 any
20 permit tcp host 131.44.1.2 any eq ftp
30 permit tcp host 131.44.1.2 any eq ftp-data
40 permit ip host 131.44.1.1 any time-range time-range-work (active)
|
Step 5: Configure applying the IP extended ACL.
#Apply the IP extended ACL with serial number 1001 to the egress of port gigabitethernet0/1 on Device.
|
Device(config)#interface gigabitethernet 0/1
Device(config-if-gigabitethernet0/1)#ip access-group 1001 out
Device(config-if-gigabitethernet0/1)#exit
|
#View the information of the ACL applied to the port on Device.
Device#show acl-object interface
-----------Interface-----Bind-----Instance
Interface----------------Direction----AclType---AclName
gi0/1 OUT IP 1001
-----------Interface-----Bind-----Instance
Interface VlanId---------Direction----AclType---AclName
Step 6: Check the result.
#PC1 can access IP Network from 08:00 to 18:00 of every day; PC2 can access any FTP server in IP Network; PC3 cannot access IP Network.
Switch
.png){kind=icon}
.png){kind=logo}
.jpg)
.png){kind=logo}
