Cisco Systems 2950 Applying Time Ranges to ACLs

29-15

Catalyst2950 and Catalyst2955 Switch Software Configuration Guide

78-11380-10

Chapter29 Configuring Network Securi ty with ACLs Configuring ACLs

When making the standard and extended ACL, remember that, by default, the e nd o f the ACL conta ins

an implicit deny statement for everything if it did not find a match before reaching the end. For standard

ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is

assumed to be the mask.

After you create an ACL, any additions are placed at the end of the list. You cannot selectively add A CEs

to a specific ACL. However, you can use no permit and no deny commands to remove ACEs from a

named ACL. This example shows how you can delete individual ACEs from a named ACL:

Switch(config)# ip access-list extended border-list

Switch(config-ext-nacl)# no permit ip host 10.1.1.3 any

Being able to selectively remove lines from a named ACL is one reason you might use named ACLs

instead of numbered ACLs.

After creating an ACL, you must apply it to a line or interface, as described in the “Applying ACLs to

Terminal Lines or Physical Interfaces” section on page 29-19.

Applying Time Ranges to ACLs

You can implement extended ACLs based on the time of day and week by using the time-range global

configuration command. First, define the name and times of the day and week of the time range, and then

reference the time range by name in an ACL to a p ply r estrictions to the access list. You can u s e th e time

range to define when the permit or deny statements in the ACL are in effect. The time-range keyword

and argument are referenced in the named and numbered extended ACL task tables in the “Creating

Standard and Extended IP ACLs” section on page29-7, and the “Crea ting Name d Standa rd and

Extended ACLs” section on page 29-13.

These are some of the many benefits of using time ranges:

•You have more control over permitting or denying a user access to resources, such as an application

(identified by an IP address mask pair and a port number).

•You can control logging messages. ACL entries can log traffic at certain times of the day, but not

constantly. Therefore, you can simply deny access without having to analyze many logs generated

during peak hours.

Note The time range relies on the switch system clock. Therefore, you need a reliab le clock sour ce. We

recommend that you use Network Time Protocol (NTP) to synchronize the swi tch cl ock. For mo re

information, see the “Managing the System Time and Date” section on page 8-1.

Beginning in privileged EXEC mode, follow these steps to configure a time-range parameter for an A CL:

Step5 show access-lists [number | name] Show the access list configuration.

Step6 copy running-config startup-config (Optional) Save your entries in the configuration file.

Command Purpose

Step1 configure terminal Enter global configuration mode.

Step2 time-range time-range-name Identify the time-range by a meaningful name (for example, workhours),

and enter time-range configuration mode. The name cannot contain a

space or quotation mark and must begin with a letter.