Support User Manuals

Cisco Systems 10000 Network Router User Manual

Open as PDF

of 624

12-7

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 12 Configuring Traffic Filtering

Time-Based ACLs

Example 12-4 Applying a Time Range to a Numbered ACL

Router(config)# time-range smtp

Router(config-time-range)# periodic daily 5:00 to 23:59

Router(config)# access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255

established

Router(config)# access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq

25 time-range smtp

Router(config)# interface serial 0

Router(config-if)# ip access-group 102 in

Applying a Time Range to a Named Access Control List

To apply a time range to a named extended access control list (ACL), enter the following commands

beginning in global configuration mode:

Example 12-5 denies FTP traffic on Monday through Sunday between the hours of 9:00 a.m. and

3:00 p.m. The example creates the time range named no-ftp and applies it to the ACE of the extended IP

access list named I. The time-based ACL is then applied to the ingress Ethernet 0 interface.

Example 12-5 Applying a Time Range to a Named ACL

Router(config)# time-range no-ftp

Router(config-time-range)# periodic daily 9:00 to 15:00

Router(config)# ip access-list extended strict

Router(config-ext-nacl)# deny tcp any any eq 21 time-range no-ftp

Router(config-ext-nacl)# exit

Router(config)# interface ethernet 0

Router(config-if)# ip access-group strict in

Command Purpose

Step 1

Router(config)# ip access-list {standard

| extended} access-list-name

Defines an access list by name and enters named-access-control

configuration mode.

Note The time-based ACLs feature supports only extended

access lists.

Step 2

Router(config-ext-nacl)# {deny | permit}

protocol source source-wildcard

destination destination-wildcard

[icmp-type [icmp-code] | icmp-message]

[precedence precedence] [tos tos] [log]

time-range time-range-name [fragments]

Sets conditions in a named IP access list that will deny or permit

packets.

The time-range time-range-name option indicates the name of

the time range that applies to this ACE.

Note In Cisco IOS Release 12.3(7)XI1, the time-range

argument is required.

Step 3

Router(config)# interface type number

slot/module/port.subinterface

Configures an interface and enters interface configuration mode.

Step 4

Router(config-if)# ip access-group

{access-list-number | access-list-name}

{in | out}

Controls access to an interface.

previous next