27-17
Catalyst 3560 Switch Software Configuration Guide
78-16156-01
Chapter 27 Configuring Network Security with ACLs
Configuring IP ACLs
To remove a configured time-range limitation, use the no time-range time-range-name global
configuration command.
This example shows how to configure time ranges for workhours and for company holidays and to verify
your configuration.
Switch(config)# time-range workhours
Switch(config-time-range)# periodic weekdays 8:00 to 12:00
Switch(config-time-range)# periodic weekdays 13:00 to 17:00
Switch(config-time-range)# exit
Switch(config)# time-range new_year_day_2003
Switch(config-time-range)# absolute start 00:00 1 Jan 2003 end 23:59 1 Jan 2003
Switch(config-time-range)# exit
Switch(config)# time-range thanksgiving_2003
Switch(config-time-range)# absolute start 00:00 27 Nov 2003 end 23:59 28 Nov 2003
Switch(config-time-range)# exit
Switch(config)# time-range christmas_2003
Switch(config-time-range)# absolute start 00:00 24 Dec 2003 end 23:50 25 Dec 2003
Switch(config-time-range)# end
Switch# show time-range
time-range entry: christmas_2003 (inactive)
absolute start 00:00 24 December 2003 end 23:50 25 December 2003
time-range entry: new_year_day_2003 (inactive)
absolute start 00:00 01 January 2003 end 23:59 01 January 2003
time-range entry: thanksgiving_2000 (inactive)
absolute start 00:00 22 November 2003 end 23:59 23 November 2003
time-range entry: workhours (inactive)
periodic weekdays 8:00 to 12:00
periodic weekdays 13:00 to 17:00
To apply a time-range, enter the time-range name in an extended ACL that can implement time ranges.
This example shows how to create and verify extended access list 188 that denies TCP traffic from any
source to any destination during the defined holiday times and permits all TCP traffic during work hours.
Switch(config)# access-list 188 deny tcp any any time-range new_year_day_2003
Switch(config)# access-list 188 deny tcp any any time-range thanskgiving_2003
Switch(config)# access-list 188 deny tcp any any time-range christmas_2003
Switch(config)# access-list 188 permit tcp any any time-range workhours
Switch(config)# end
Switch# show access-lists
Extended IP access list 188
deny tcp any any time-range new_year_day_2003 (inactive)
deny tcp any any time-range thanskgiving_2003 (active)
deny tcp any any time-range christmas_2003 (inactive)
permit tcp any any time-range workhours (inactive)
This example uses named ACLs to permit and deny the same traffic.
Switch(config)# ip access-list extended deny_access
Switch(config-ext-nacl)# deny tcp any any time-range new_year_day_2003
Switch(config-ext-nacl)# deny tcp any any time-range thanksgiving_2003
Switch(config-ext-nacl)# deny tcp any any time-range christmas_2003
Switch(config-ext-nacl)# exit
Switch(config)# ip access-list extended may_access
Switch(config-ext-nacl)# permit tcp any any time-range workhours
Switch(config-ext-nacl)# end
Switch# show ip access-lists
Extended IP access list deny_access
deny tcp any any time-range new_year_day_2003 (inactive)
deny tcp any any time-range thanksgiving_2003 (inactive)
deny tcp any any time-range christmas_2003 (inactive)
Extended IP access list may_access
permit tcp any any time-range workhours (inactive)
To Next Page
Loading...
Need help?
General