Applying Time Ranges To Acls - Cisco WS-C3550-12G Software Configuration Manual
Multilayer switch
Hide thumbs
Also See for WS-C3550-12G:
- User manual (436 pages) ,
- Manual (278 pages) ,
- Datasheet (19 pages)
Table of Contents
Advertisement
Chapter 19
Configuring Network Security with ACLs
Beginning in privileged EXEC mode, follow these steps to create an extended ACL using names:
Command
Step 1
configure terminal
Step 2
ip access-list extended name
Step 3
{deny | permit} protocol {source
[source-wildcard] | host source | any}
{destination [destination-wildcard] | host
destination | any} [precedence precedence]
[tos tos] [established] [log] [time-range
time-range-name]
Step 4
end
Step 5
show access-lists [number | name]
Step 6
copy running-config startup-config
To remove a named extended ACL, use the no ip access-list extended name global configuration
command.
When you are creating standard extended ACLs, remember that, by default, the end of the ACL contains
an implicit deny statement for everything if it did not find a match before reaching the end. For standard
ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is
assumed to be the mask.
After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL
entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode
commands to remove entries from a named ACL. This example shows how you can delete individual
ACEs from the named access list border-list:
Switch(config)# ip access-list extended border-list
Switch(config-ext-nacl)# no permit ip host 10.1.1.3 any
Being able to selectively remove lines from a named ACL is one reason you might use named ACLs
instead of numbered ACLs.
After creating an ACL, you must apply it to a line or interface, as described in the
to an Interface or Terminal Line" section on page
Applying Time Ranges to ACLs
You can implement extended ACLs based on the time of day and week by using the time-range global
configuration command. First, define the name and times of the day and week of the time range, and then
reference the time range by name in an ACL to apply restrictions to the access list. You can use the time
range to define when the permit or deny statements in the ACL are in effect. The time-range keyword
78-11194-03
Purpose
Enter global configuration mode.
Define an extended IP access list using a name and enter
access-list configuration mode.
Note
The name can be a number from 100 to 199.
In access-list configuration mode, specify the conditions allowed
or denied. Use the log keyword to get access list logging messages,
including violations.
See the
"Creating a Numbered Extended ACL" section on
page 19-9
for definitions of protocols and other keywords.
•
host source—A source and source wildcard of source 0.0.0.0.
host destination—A destination and destination wildcard of
•
destination 0.0.0.0.
•
any—A source and source wildcard or destination and
destination wildcard of 0.0.0.0 255.255.255.255.
Return to privileged EXEC mode.
Show the access list configuration.
(Optional) Save your entries in the configuration file.
19-18.
Catalyst 3550 Multilayer Switch Software Configuration Guide
Configuring Router ACLs
"Applying the ACL
19-15
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
