In this example we will test Cisco IOS Time Based Access-lists.
- We will permit telnet traffic from R1`s loopback0 address to R3`s loopback0 address in working hours.
- We will permit Ospf traffic every time.
- We will deny all other types of traffic.
Here is the topology for this example:
Configuration on R2:
time-range telnet-time
periodic weekdays 8:00 to 17:00
access-list 101 permit ospf any any
access-list 101 permit tcp host 10.10.10.1 host 10.10.10.3 eq telnet time-range telnet-time
access-list 101 deny ip any any
interface FastEthernet0/0
ip address 10.10.12.2 255.255.255.0
ip access-group 101 in
:
Lets test telnet from R1
R1#telnet 10.10.10.3 /source-interface lo0
Trying 10.10.10.3 ... Open
User Access Verification
Password:
R3>en
Password:
R3#
Lets check it from R2:
R2#show clock
09:27:02.939 UTC Wed Nov 2 2011
R2#show access-lists
Extended IP access list 101
5 permit ospf any any (50 matches)
10 permit tcp host 10.10.10.1 host 10.10.10.3 eq telnet time-range telnet-time (active) (25 matches)
20 deny ip any any (7 matches)
Lets change the time on R2:
Router#clock set 20:00:00 2 Nov 2011
Router#show clock
20:00:04.819 UTC Wed Nov 2 2011
R2#show access-lists 101
Extended IP access list 101
10 permit ospf any any (135 matches)
20 permit tcp host 10.10.10.1 host 10.10.10.3 eq telnet time-range telnet-time (inactive) (24 matches)
30 deny ip any any (139 matches)
We see that Access-list Entry 20 is inactive now.And we test the telnet connection from R1 to R3:
R1#telnet 10.10.10.3 /source-interface lo0
Trying 10.10.10.3 ...
% Destination unreachable; gateway or host down
It is denied.
- We will permit telnet traffic from R1`s loopback0 address to R3`s loopback0 address in working hours.
- We will permit Ospf traffic every time.
- We will deny all other types of traffic.
Here is the topology for this example:
time-range telnet-time
periodic weekdays 8:00 to 17:00
access-list 101 permit ospf any any
access-list 101 permit tcp host 10.10.10.1 host 10.10.10.3 eq telnet time-range telnet-time
access-list 101 deny ip any any
interface FastEthernet0/0
ip address 10.10.12.2 255.255.255.0
ip access-group 101 in
:
Lets test telnet from R1
R1#telnet 10.10.10.3 /source-interface lo0
Trying 10.10.10.3 ... Open
User Access Verification
Password:
R3>en
Password:
R3#
Lets check it from R2:
R2#show clock
09:27:02.939 UTC Wed Nov 2 2011
R2#show access-lists
Extended IP access list 101
5 permit ospf any any (50 matches)
10 permit tcp host 10.10.10.1 host 10.10.10.3 eq telnet time-range telnet-time (active) (25 matches)
20 deny ip any any (7 matches)
Lets change the time on R2:
Router#clock set 20:00:00 2 Nov 2011
Router#show clock
20:00:04.819 UTC Wed Nov 2 2011
R2#show access-lists 101
Extended IP access list 101
10 permit ospf any any (135 matches)
20 permit tcp host 10.10.10.1 host 10.10.10.3 eq telnet time-range telnet-time (inactive) (24 matches)
30 deny ip any any (139 matches)
We see that Access-list Entry 20 is inactive now.And we test the telnet connection from R1 to R3:
R1#telnet 10.10.10.3 /source-interface lo0
Trying 10.10.10.3 ...
% Destination unreachable; gateway or host down
It is denied.
how about configure acl time based for IOS-XR
ReplyDelete