Table of Contents
Advertisement
55.3 VLAN-ACL Configuration Example
A company's network configuration is as follows, all departments are divided by different VLANs, technique
department is Vlan1, finance department is Vlan2. It is required that technique department can access the
outside net work at timeout, but financ e department are not allowed to access the outside network at any time
for the security. Then the following policies are configured:
Set the policy VACL_A for technique department. At timeout they can access the outside network,
the rule as permit, but other times the rule as deny, and the policy is applied to Vlan1.
Set the policy VACL_B of ACL for finance department. At any time they can not access the outside
network, but can access the inside net work with no limitation, and apply the policy to Vlan2.
Network environment is shown as below:
Configuration ex ample:
1) First, configure a timerange, the valid time is the working hours of working day:
XGS 3-42000R(config)#time-range t1
XGS 3-42000R(config-time-range-t 1)#periodic weekdays 9:00:00 to 12:00:00
XGS 3-42000R(config-time-range-t 1)#periodic weekdays 13:00:00 to 18:00:00
2)
Configure the extended acl_a of IP, at working hours it only allows to access the resource wit hin the
internal net work (such as 192.168.0.255).
XGS 3-42000R(config)# ip access-list extended vacl_a
XGS 3-42000R(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.0.0 0. 0.0.255 time-range t1
XGS 3-42000R(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination time-range t1
Figure 55-3-1 VLA N-A CL configuration example
55-3
Advertisement
Table of Contents
Troubleshooting
