这个新特征可以基于时间段(一天中的某段时间,一个星期中的某几天,或两者兼而有之)来实现访问控制。
第一步:预配置说明见图,主机位与路由器的序列号一致
第二步:配置R2,为了本地策略生效,请务必配置如下命令
ip local policy route-map STARSHOMES route-map STARSHOMES permit 10 match ip address 100 |
第三步:配置R2的ACL与time-range
access-list 100 denyicmp any host 12.0.0.2 time-range no-ping //如果在no-ping时间段则此acl生效 access-list 100 permit ip any any time-range no-ping absolute start 00:00 01 January 2000 periodic daily 11:30 to 11:31 关于absolute与periodic的说明如下,来自china.dub.com absolute语句指定绝对时间范围。absolute关键字之后紧跟着start关键字和end关键字。如果读者希望访问表中相关的permit或deny语句生效,则start和end之后应紧跟开始和结束时间。 尽管一个时间范围只能有一个absolute语句,但它可以有多个periodic语句。另外,absolute语句只拥有开始和结束时间以及日期等少数几个参数,而periodic语句允许使用大量的参数,其范围可以是一星期中的某一天、几天的结合,或者使用关键字daily、weekdays和weekend等。下表列出了在periodic语句中可以使用的每星期中天数的参数。
|
第四步:让R1pingR2的f1/0接口,然后在R2查看如下
R2#sh ip access-lists Extended IP access list 100 10 deny icmp any host 12.0.0.2 time-range ping (active) (6 matches) 20 permit ip any any (3694 matches) R2#sh time time-range entry: ping (active) absolute start 00:00 01 January 2000 periodic daily 11:30 to 11:31 used in: IP ACL entry R2#sh clock *11:32:08.315 UTC Wed Aug 14 2013 R2#sh tim time-range entry: ping (inactive) absolute start 00:00 01 January 2000 periodic daily 11:30 to 11:31 used in: IP ACL entry R2#sh ip access Extended IP access list 100 10 deny icmp any host 12.0.0.2 time-range ping (inactive) (62 matches) 20 permit ip any any (3890 matches) //时间过后再次查看 |
第五步:查看实验现象
R1#ping 12.0.0.2 re 99999 Type escape sequence to abort. Sending 99999, 100-byte ICMP Echos to 12.0.0.2, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U.U .U.U.U.U.U.U.U.U.U.U.U.U.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Success rate is 94 percent (1118/1180), round-trip min/avg/max = 36/89/1528 ms //现象成功 |
小小备注:现象成功,但time-rang产生的现象不一定是与show clock时间保持一致,有点滞后,这是正常的。
