Time-based access control list (ACL) configuration experiment
【Purpose】
- Master time-based ACL configuration.
- Recognize the role of the ACL to give time.
- Verify the configuration.
【Experimental Topology】
The experimental topology is shown in the figure below.
The device parameters are shown in the table below.
equipment |
interface |
IP address |
subnet mask |
default gateway |
R1 |
S0/3/0 |
192.168.1.1 |
255.255.255.252 |
N/A |
Fa0/0/0 |
192.168.2.1 |
255.255.255.0 |
N/A |
|
R2 |
S0/3/0 |
192.168.1.2 |
255.255.255.252 |
N/A |
F0/0 |
172.16.10.254 |
255.255.255.0 |
N/A |
|
PC1 |
N/A |
192.168.2.2 |
255.255.255.0 |
192.168.2.1 |
Server1 |
N/A |
172.16.10.1 |
255.255.255.0 |
172.16.10.254 |
【Experimental content】
1. Configure the routing protocol:
- Configure basic network interface parameters of R1 and R2, including IP addresses and subnet masks.
- Configure a static routing protocol between R1 and R2.
2. Time-based ACL defines the time period:
- Define a time period named "worktime" on R1, and set the time period from 9:00 to 21:00 on weekdays.
3. Configure time-based extended ACL to disable web services:
- Configure an extended ACL numbered 100 on R1.
- Use the ACL rule to prohibit access to the web service (port number 80) on the 172.16.10.0/24 network segment from the 192.168.2.0/24 network segment during working hours (according to the previously defined time period).
- Traffic from any other network segment is allowed to pass.
4. Configure time-based extended ACL to disable FTP service:
Configure another extended ACL numbered 101 on R1.
- Use ACL rules to prohibit access to the FTP service (port numbers 20 and 21) on network segment 172.16.10.0/24 from network segment 192.168.2.0/24 during working hours.
- Traffic from any other network segment is allowed to pass.
5. Configure time-based extended ACL to disable DNS service:
- Configure the third extended ACL numbered 102 on R1.
- Use ACL rules to prohibit access to the DNS service (port number 53) on network segment 172.16.10.0/24 from network segment 192.168.2.0/24 during working hours.
- Traffic from any other network segment is allowed to pass.
- Through these configurations, time-based ACL restricts traffic access of different protocols within a specific time period. This controls access to services on the network, allowing or disallowing specific traffic to flow through the network during specific time periods.
【Experimental steps】
1. Configure the routing protocol
- Basic configuration of R1
Router>and
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#interface f0/0
R1(config-if)#ip address 192.168.2.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
R1(config-if)#interface s0/3/0
R1(config-if)#ip address 192.168.1.1 255.255.255.252
R1(config-if)#no shutdown
%LINK-5-CHANGED: Interface Serial0/3/0, changed state to down
R1(config-if)#exit
R1(config)#
%LINK-5-CHANGED: Interface Serial0/3/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to up
R1(config-if)#exit
R1(config)#ip route 172.16.10.0 255.255.255.0 serial 0/3/0
//Configure static routing protocol
(2) Basic configuration of R2
Router>enable
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R2
R2(config)#interface f0/0
R2(config-if)#ip address 172.16.10.254 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#
%LINK-5-CHANGED: Interface GigabitEthernet0/0, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
R2(config-if)#interface s0/3/0
R2(config-if)#ip address 192.168.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
%LINK-5-CHANGED: Interface Serial0/3/0, changed state to up
R2(config-if)#exit
R2(config)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to up
R2(config)#ip route 192.16.2.0 255.255.255.0 serial 0/3/0
(3) Basic configuration of Server1
2. Time-based ACL defines the time period
R1(config)#time-range worktime
//Define the time period, named worktime
R1(config-time-range)#periodic weekdays 9:00 to 21:00
//The time period is from 9:00 to 21:00 on weekdays
- Configure Time-Based Extended ACL to Disable Web Services
R1(config)#ip access-list extended 100
R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq www time-range worktime
// Disable 192.168.2.0/24 access
R1(config-ext-nacl)#permit ip any any
//Allow any other network segment to access
R1(config-ext-nacl)#exit
R1(config)#interface s0/3/0
R1(config-if)#ip access-group 100 out
//Apply ACL to the outbound direction of interface s0/3/0
- Configure time-based extended ACL to disable FTP service
R1(config)#ip access-list extended 101
R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 20 time-range worktime
R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 21 time-range worktime
R1(config-ext-nacl)#permit ip any any
- Configure time-based extended ACL to disable DNS service
R1(config)#ip access-list extended 102
R1(config-ext-nacl)#deny tcp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 53 time-range worktime
R1(config-ext-nacl)#deny udp 192.168.2.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 53 time-range worktime
R1(config-ext-nacl)#permit ip any any