Time-based ACLs also allow security professionals to control logging messages. ACL entries can log traffic at certain times of the day, but not constantly. The administrator can simply deny access without analyzing the many logs that are generated during peak hours.
When creating a time range with the time-range command, it must have a unique name. The name must begin with a letter and cannot contain a space. Use this name later to associate a specific ACL statement with this range. Executing the time-range command places the router in ACL sub-configuration mode. In this mode, two types of ranges can be specified: one-time only (absolute) and recurring (periodic).
These are the commands for creating a time range.
Router(config)# time-range time_range_name
Router(config-time-range)# absolute [start_time start_date] [end_time end_date]
Router(config-time-range)# periodic day_of_the_week hh:mm to [day_of_the_week] hh:mm
A network administrator has a situation that requires time-based ACLs. Users are not allowed to access the Internet during business hours, except during lunch and after hours until 7 p.m. when the office closes. This is a time-based ACL that supports the requirement:
R1(config)# time-range employee-time
R1(config-time-range)# periodic weekdays 12:00 to 13:00
R1(config-time-range)# periodic weekdays 17:00 to 19:00
R1(config-time-range)# exit
R1(config)# access-list 100 permit ip 192.168.1.0 0.0.0.255 any time-range employee-time
R1(config)# access-list 100 deny ip any any
R1(config)# interface FastEthernet 0/1
R1(config-if)# ip access-group 100 in
R1(config-if)# exit
In this example, the commands allow IP access to the Internet during lunch time and after work hours. ACL 100 permits employee traffic to the Internet during lunch and after work hours between 5 PM and 7 PM.
biOos
No comments:
Post a Comment