您的位置:首页 > 其它

基于时间的访问控制列表

2013-08-14 12:04 246 查看



这个新特征可以基于时间段(一天中的某段时间,一个星期中的某几天,或两者兼而有之)来实现访问控制。第一步:预配置说明见图,主机位与路由器的序列号一致
第二步:配置R2,为了本地策略生效,请务必配置如下命令
ip local policy route-map STARSHOMES
route-map STARSHOMES permit 10
match ip address 100
第三步:配置R2的ACL与time-range
access-list 100 denyicmp any host 12.0.0.2 time-range no-ping
//如果在no-ping时间段则此acl生效
access-list 100 permit ip any any
time-range no-ping
absolute start 00:00 01 January 2000
periodic daily 11:30 to 11:31
关于absolute与periodic的说明如下,来自china.dub.com
absolute语句指定绝对时间范围。absolute关键字之后紧跟着start关键字和end关键字。如果读者希望访问表中相关的permit或deny语句生效,则start和end之后应紧跟开始和结束时间。
尽管一个时间范围只能有一个absolute语句,但它可以有多个periodic语句。另外,absolute语句只拥有开始和结束时间以及日期等少数几个参数,而periodic语句允许使用大量的参数,其范围可以是一星期中的某一天、几天的结合,或者使用关键字daily、weekdays和weekend等。下表列出了在periodic语句中可以使用的每星期中天数的参数。
参数意义
Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday
Daily
Weekday
Weekend
某一天或某几天的结合
从星期一到星期天从星期一到星期五星期六和星期日
第四步:让R1pingR2的f1/0接口,然后在R2查看如下
R2#sh ip access-lists
Extended IP access list 100
10 deny icmp any host 12.0.0.2 time-range ping (active) (6 matches)
20 permit ip any any (3694 matches)
R2#sh time
time-range entry: ping (active)
absolute start 00:00 01 January 2000
periodic daily 11:30 to 11:31
used in: IP ACL entry
R2#sh clock
*11:32:08.315 UTC Wed Aug 14 2013
R2#sh tim
time-range entry: ping (inactive)
absolute start 00:00 01 January 2000
periodic daily 11:30 to 11:31
used in: IP ACL entry
R2#sh ip access
Extended IP access list 100
10 deny icmp any host 12.0.0.2 time-range ping (inactive) (62 matches)
20 permit ip any any (3890 matches)//时间过后再次查看
第五步:查看实验现象
R1#ping 12.0.0.2 re 99999Type escape sequence to abort.Sending 99999, 100-byte ICMP Echos to 12.0.0.2, timeout is 2 seconds:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 94 percent (1118/1180), round-trip min/avg/max = 36/89/1528 ms//现象成功
小小备注:现象成功,但time-rang产生的现象不一定是与show clock时间保持一致,有点滞后,这是正常的。

本文出自 “Lee's Blog” 博客,请务必保留此出处http://starshomes.blog.51cto.com/3202512/1272779
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航