Cisco Systems DOC-7814982 Applying Time Ranges to ACLs

25-15

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 25 Configuring Network Securi t y w it h ACLs Configuring ACLs

When ma king t he stan dar d an d extend ed ACL, re me mb er t ha t, by de fault , t he end o f t he ACL cont a ins

an implicit deny statement for ev erything if it did not find a match before reaching the end. For standard

ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is

assumed to be the mask.

After yo u create an A CL, an y additio ns are placed at th e end of the list . You cann ot selecti vely add A CEs

to a specific ACL. However, you can use no permit and no deny commands to remove ACEs fr om a

named ACL. This example shows how you can delete individua l AC Es from a name d ACL :

Switch(config)# ip access-list extended border-list

Switch(config-ext-nacl)# no permit ip host 10.1.1.3 any

Being ab le to select ivel y remove lines from a na med AC L is one re ason you might use na med ACLs

instead of nu mb er ed ACLs.

After creating an ACL, you must apply it to a line or interface, as described in the “Applying ACLs to

Terminal L ines or Physi ca l In terfa ce s” section on page 25-20.

Applying Time Ranges to ACLs

You can imple ment exten ded ACLs based on the ti me of da y and wee k by using t h e time-range global

configuration command. First, define the name and times of the day and week of the time range, and then

refer en ce th e t i me r an ge by name i n an ACL to apply r es t rictions to the access list . You can u se the time

range to define when the permit or deny statements in the ACL are in effect. The time-range keyword

and argument are refe renced in the nam ed and numbe red extended ACL task tables i n the “Cre ating

Standa rd and Extende d IP ACL s” section on page 25-7, and the “Cre ating Na med Stan dard and

Exte nd ed ACLs” secti on on page 2 5-13.

These ar e some of the many benefits of using time ra nges:

•You have more control over permitting or denying a user access to resources, such as an application

(identi fied by an IP addr es s m ask pai r an d a por t numbe r) .

•Yo u can co ntrol logg ing m e ssag es. ACL entri es c an l o g tr affic at cert ain t ime s o f th e day, but not

consta ntly. Therefore , you can simpl y deny access witho ut having to analyze ma ny logs generat ed

during peak hours.

Note Th e time range rel ies on the swit ch system c lock. Th eref ore, yo u need a re liable clock sour ce. We

recomm en d th at you use Ne twork Time Protocol ( NTP) to sync hroni ze the swi tch cloc k. For mo re

information, see the “Manag ing the System Time and Date ” section on pa ge 7-34 .

Beginn ing in privile ged EXEC mode, follo w these steps to conf igure a time-range parameter for an A CL:

Step 5 show access-lists [numb er | name] Show the access list configuration.

Step 6 copy running-confi g startup-config (Optional) Save your entries in the configuration file.

Command Purpose

Step 1 configure terminal Enter globa l configurati on mode.

Step 2 time-range time-range-name Identify t he tim e-ran ge b y a m eaning ful n ame (fo r e xam ple, workhours),

and ente r time-ra nge co nfiguration mo de. The nam e cannot contai n a

space or quota tion mark a nd must begin with a lett er.