Application of access list in CISCO Routers

There are a lot of users using CISCO routers. Maybe many people still don't know the actual application of the access list in CISCO routers. After reading this article, you will certainly have a lot of GAINS, I hope this article will teach you more things. There are two types of access-list in a CISCO router: standard access list and extended access list. The difference between the two is that the former is based on the data packet filtering of the target address, the latter filters data packets based on the destination address, source address, and network protocol port.

With the development of the network and the changes in user requirements, a time-based access list has been added to the CISCO router since IOS12.0. It can be used to control network packet forwarding based on different times of the day or different dates of the week.

I. Usage

This time-based access list adds an effective time range to the original standard access list and extended access list to control the network more effectively. It needs to define a time range and then apply it based on the original access lists. In addition, it is applicable to number access tables and name access tables.

Ii. Use Rules

Use the time-range Command to specify the time range name, and then use the absolute command or one or more periodic commands to define the time range. The IOS command format is:
Time-range-name absolute [start time date] [end time date] periodic days-of-the week hh: mm to [days-of-the week] hh: mm.

This command is used to specify the absolute time range. It is followed by the start and end keywords. The time after these two keywords must be in the 24-hour format, hh: mm hour: minute), and the date must be represented by day/month/year. We can see that both of them can be omitted. If start and its later time are omitted, the related permit or deny statement takes effect immediately and takes effect until the end time; if end and its later time are omitted, it indicates that the time indicated by the permit or deny statement associated with it takes effect at start and will always work, of course, deleting the access list will not work. The above is about commands and basic parameters for ease of understanding. Here are two examples. In this way, we can use this time-based access list, instead of going to the office in the middle of the night to delete the access list. This should be a good thing for network administrators. Next, let's take a look at the next periodic command and its parameters. There can be only one absolute statement in a time range, but there can be several periodic statements.

Periodic: a command that defines the time range using the week parameter. Its parameters mainly include Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, or Sunday, or daily), weekday Monday to Friday) or weekend ). Now, we have figured out how to define the time range. Let's take a look at how to apply this time-based access list in actual situations.

Now let's analyze the access control list. The first sentence is to enter the port control mode. The second sentence is the application name access list web, which is used in the entry direction of Serial 0, that is, Protocol control analysis when data flows into the CISCO router. The third sentence defines a time range name as changeweb. The fourth sentence is to define the extended name access list web. The fifth and sixth sentences indicate that only WEB1 can be accessed before the New Year.

The seventh sentence is to allow all web access to web2. In this case, the seventh sentence does not allow all WEB2 access without time restrictions? So how is our goal achieved? Do not forget that the order of each table item in the access control list in the CISCO router is very important, it is executed from top to bottom, so that before the new year, that is, when the fifth and sixth sentences start, the request to access WEB2 has been disabled. Therefore, the seventh sentence is useless, and after the New Year, the fifth and sixth sentences are invalid, and the seventh sentence plays its role. Allow all access requests to WEB2. can I access the WEB1 server after the New Year? Of course not, because we only allow access to WEB2 In the seventh sentence, which implies that all the rest are forbidden.