| 10.1 | Access Lists | ||
| 10.1.3 | Time-based extended access list syntax |
Today's network security policies demand
that access lists do more than use destination and source addresses to
statically define whether a protocol is permitted. In some cases, an
administrator may determine that certain traffic is permissible only
during business hours, or that users have access to specific
resources only at fixed times of day. This is possible using a
time-based access list. Since IOS release 12.01(T), it is possible
to implement time-based access lists based on the time of day and
week by using the
time-range
command. There are many possible
benefits of using time ranges, including the following:
To implement a time-based extended access list, first define the name and times of the day and week of the time range, and then reference the time range by name in an access list. To apply restrictions to the access list, using the following steps:
Currently, IP and IPX named or numbered extended access lists are the only functions that can use time ranges. The time range allows the network administrator to define when the permit or deny statements in the access list are in effect. Prior to this feature, access list statements were always in effect once they were applied. In the figure, RTA is configured with the named access list STRICT, which references two time ranges, NO-HTTP and UDP-YES. NO-HTTP is used in conjunction with a deny statement to prevent web traffic weekdays from 8 A.M. to 6 P.M. The UDP-YES time range is used with a permit statement to allow all UDP traffic on weekends, from 12 noon to 8 P.M.
|