1. Experimental topology and requirements description
R1 for the internal network, R2 for the border router, R3 for the external network, the internal network is required to 8:00-17:30 the Internet every day, other times do not limit traffic
650) this.width=650; "alt=" Time-based ACL-worry-free grass-sheng13396075087 blog "src=" http://img1.ph.126.net/SQj7T_1pymNS5nngQ28w9g== /6619362364909440844.jpg "style=" border:0px;height:auto;margin:0px 10px 0px 0px; "/>
2, basic configuration omitted
To configure ACLs on R2:
time-range Work (define time period name is working day)
periodic weekdays 8:00am to 17:30 (setting cycle time)
access-list deny IP host 192.168.12.1 host 3.3.3.3 Time-range work
(Deny intranet 192.168.12.1 access extranet 3.3.3.3)
Access-list deny IP host 1.1.1.1 host 3.3.3.3 time-range work
(Deny intranet 1.1.1.1 access extranet 3.3.3.3)
access-list Permit IP Any any (no control of traffic for other time periods)
Called on the R2 interface s0/0:
Interface serial0/0
IP Access-group (here is the denial of traffic coming in from the s0/0 port of R2)
3. Experimental phenomena:
Intranet cannot be accessed when the R2 time is set to a weekday time period
650) this.width=650; "alt=" Time-based ACL-worry-free grass-sheng13396075087 blog "src=" http://img0.ph.126.net/gdNa8aIaJBDYUNhVB0IqXg== /6608685007492468506.jpg "style=" border:0px;height:auto;margin:0px 10px 0px 0px; "/>
650) this.width=650; "alt=" Time-based ACL-worry-free grass-sheng13396075087 blog "src=" http://img1.ph.126.net/5_Ocs0q1ogI0oswKESeDaA== /6619538286769884268.jpg "style=" border:0px;height:auto;margin:0px 10px 0px 0px; "/>
When the R2 time is set to a different time period, the intranet can access the extranet
650) this.width=650; "alt=" Time-based ACL-worry-free grass-sheng13396075087 blog "src=" http://img0.ph.126.net/E1VB_v8gyIO-DDcR_fvUfw== /6608664116771539305.jpg "style=" border:0px;height:auto;margin:0px 10px 0px 0px; "/>
650) this.width=650; "alt=" Time-based ACL-worry-free grass-sheng13396075087 blog "src=" http://img1.ph.126.net/k308A8PoH29r8QLNVnrR_w== /6608813650352919166.jpg "style=" border:0px;height:auto;margin:0px 10px 0px 0px; "/>
4. Summary
In the enterprise local area network, the data traffic is controlled by ACLs, which improves the security of traffic and is easy for network administrator to manage. However, there are several problems in writing ACLs, ACLs can only crawl traffic through this route, (that is, ACLs cannot filter the locally generated traffic), one direction of an interface can only be configured for one ACL for a single protocol, and if standard ACLs are used, it is recommended that the standard ACL configured on a router close to the destination address, or if you are using extended ACLs, it is recommended that you configure the extended ACL on a router that is near the source address.
This article is from the ICMP redirect Experiment blog, so be sure to keep this source http://shhqing.blog.51cto.com/8622597/1721316
Time-based ACLs