1. time-based access lists allow you to control access permissions for a user in a certain period of time. switch in global configuration mode # the time range specified by conft has a meaningful name. the name cannot contain spaces or quotation marks and must start with a letter. switch (config) # time-rangetime-range
1. time-based access lists allow you to control access permissions for a user in a certain period of time. enter the global configuration mode Switch # conf t. The specified time range name has a meaningful name. the name cannot contain spaces or quotation marks and must start with a letter. switch (config) # time-range
1. Based onTimeOfAccessList
With time-based access list,YesControls the user's access permissions in a certain period of time.
Enter global configuration mode
Switch # conf t
The specified time range name has a meaningful name. The name cannot contain spaces and quotation marks and must start with a letter.
Switch (config) # time-range-name
Specified Time Range
Switch (config-time-range) # absolute [start time date] [end time date]
Or
Periodic day-of-the-week hh: mm to [day-of-the-week] hh: mm
Or
Periodic {weekdays | weekend | daily} hh: mm to hh: mm
Absolute: Specifies the Absolute time range. this keyword is followed by the start and end keywords. if the relevant permit or deny names in the access list take effect, start and end should follow the start and end times. it should be noted that the time is expressed in the 24-hour format, and the date is expressed in the format of (day/month/year.
Periodic: although each time range can have only one absolute statement, there can be multiple periodic statements. Besides, the absolute statement method only has a few parameters, such as the start time, end time, and date, while the periodic statement canUseA large number of parameters, which can be a combination of one or several days in a week, orUseKeywords such as daily weekdays weekend. Table 12-1 lists the parameters that can be used in a statement for the number of days per week.
Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday |
Combination of one or several days |
Daily |
From Monday to Sunday |
Weekend |
Saturday and Sunday |
Weekdays |
From Monday to Friday |
Back to privileged Configuration Mode
Switch (config-time-range) # end
Verify current settings
Switch # show time-range
Save current configuration
Copy running-config startup-config
With time-based access lists, you can control the access permissions of users within a certain period of time.
Restrict users' network applications
Normal users use the IP address range of "10.1.0.0/16". To restrict all employees from to from Monday to Friday ~ When chatting with QQ and MSN at, you can add the following language names to the access list:
Time-range deny-qq
---------- Define the time range name as "deny-qq"
Periodic weekdays start end
--------- The time range is from to from Monday to Friday ~
Ip access-list extend internet_limit
Deny tcp 10.1.0.0 0.0.255.255AnyEq 1863 time-range deny-qq
Deny tcp 10.1.0.0 0.0.255.255 any eq 8000 time-range deny-qq
Deny tcp 10.1.0.0 0.0.255.255 any eq 1080 time-range deny-qq
Deny udp 10.1.0.0 d0 0.20.255 any eq 8000 time-range deny-qq
Deny udp 10.1.0.0 0.0.0000255 any eq 4000 time-range deny-qq
Deny udp 10.1.0.0 0.0.0000255 any eq 1080 time-range deny-qq
---- Define the protocol and port number used for QQ and MSN Chat
Permit ip any
Other accesses are not restricted.
Note that most of the port numbers used by network applications can be found in the following files.
Win9X: % windir % \ services
WinNT/2000/xp/2003: % windir % \ system32 \ drivers \ etc \ services
Linux:/etc/services
If you cannot find a port-free application in the services file, you can run netstat-ap after running the program and find out the port number used by the application.
Enable network applications
To ensure that no user logs on to the vswitch during non-working hours, the Ethernet port FE0/0 of the vswitch only receives the destination port 23 (telnet) from AM to Am from Monday to Friday) and other non-work hours are prohibited.
The related configurations are as follows:
Interface fastethernet 0/0
Ip access-group 101 in
----- Apply IP address access list 101 to this port
Access-list 101 permit tcp any eq telnet time-range nettel
----- Set IP address access list 101
Time-range nettl
Periodic weekdays
----- Set the time access list nettel
2. Related configuration commands
Time access list Configuration