Scribd
Upload
28 views6 pages

4.access List and Time Range

The document outlines the configuration of Time Range Access Lists for routers R1 and R2 to control internet access based on specific time periods. It includes detailed tasks and solutions for allowing or denying internet access for internal users during weekdays and weekends, as well as specific restrictions for telnet and HTTP traffic. Verification steps are also provided to ensure the access lists are functioning as intended.

Uploaded by

travistitz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
28 views6 pages

4.access List and Time Range

The document outlines the configuration of Time Range Access Lists for routers R1 and R2 to control internet access based on specific time periods. It includes detailed tasks and solutions for allowing or denying internet access for internal users during weekdays and weekends, as well as specific restrictions for telnet and HTTP traffic. Verification steps are also provided to ensure the access lists are functioning as intended.

Uploaded by

travistitz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Security

Contents
Time Range Access Lists 2
Diagram .........................................................................................................................2
Task 1 .............................................................................................................................2
Task 1 Solution ...............................................................................................................2
Task 2 .............................................................................................................................5
Task 2 solution ...............................................................................................................5
Verification ....................................................................................................................6

Aung Naing Moe 1


Security

Time Range Access Lists


Diagram

OSPF

10.0.13.0/24 10.0.23.0/24
L0 = 192.168.1.1/24 L0 = 192.168.2.2/24
R1 E0/0 E0/0 R3 E0/1 E0/0 R2
Internal E0/2 External

AAA Server

Task 1
 Configure R1 to allow its internal users to have the ability to browse the
Internet during the weekdays only.
 R2 should be configured such that its internal users can browse the
Internet in weekends only.
 The access-list should be appied outbound on their E0/0 interface, since
this is the interface that connects these routers to the Internet.

Task 1 Solution
IP assignment ကိစၥေတြ၊ OSPF စတဲ့ basic configuration ေတြက Basic IOS Access List
lab အတိိုင္းပျဖစ္ပါတယ္။

R1
R1(config)#time-range WEEKDAYS
R1(config-time-range)# periodic weekdays 0:00 to 23:59
R1(config-time-range)#exit
R1(config)#access-list 101 permit tcp any any eq 80 time-range WEEKDAYS
R1(config)#interface Ethernet0/0
R1(config-if)# ip access-group 101 out

2 Aung Naing Moe


Security

R2
R2(config)#time-range WEEKENDS
R2(config-time-range)#periodic weekdays 0:00 to 23:59
R2(config-time-range)#exit
R2(config)#access-list 101 permit tcp any any eq 80 time-range WEEKENDS
R2(config)#interface Ethernet0/0
R2(config-if)#ip access-group 101 out

Configuration point of view က ၾကညဲ့္မယ္္ိိုရင္ -

အ္င္ဲ့တစ္ - ကိုိယ္ခြင္ဲ့ျပဳခ်င္တဲ့ time range ကိို သတ္မွတ္ဖိို႔ time range configure လိုပ္ပါ။

အ္င္ဲ့ႏွစ္ - time range ကိို reference လိုပ္ဖိို႔ ACL ေရးပါ။

အ္င္ဲ့သိုး - ip access-group command န႔ interface ေအာက္မွာ ACL ကိို apply လိုပ္ပါ။

အကယ္၍ ေန႔ရက္၊ နာရီအတိက်ေရးခ်င္လည္း ေရးလိို႔ရပါတယ္။ ဥပမာ - Mon to Friday


မွာ္ိိုရင္ 2:00 PM ကေန 6:30 PM အထိပ internet ေပးသိုးမယ္။

July 1 ရက္ေနစၿပီး၊ August 26 ရက္ထိ၊ wee days ေတြမွာ 9:00 AM ကေန 5:00 PM အထိ
အင္တာနက္ ေပးမသိုးဘး စသျဖင္ဲ့ အဒီလိို ပိုစမ်ဳိးလည္း ေရးလိို႔ရပါတယ္။ ေရးတဲ့ ဥပမာကိို
ေအာက္မွာေလဲ့လာၾကည္ဲ့ပါ။

R1
R1(config)#time-range ALLOWED_INTERNET
R1(config-time-range)# periodic weekdays 14:00 to 18:30
R1(config-time-range)#exit
R1(config)#time-range DENIED_INTERNET
R1(config-time-range)# absolute start 00:00 20 July 2018 end 23:29 26 August
2018
R1(config-time-range)#exit
R1(config)#access-list 102 deny tcp any any eq 80 time-range
DENIED_INTERNET

Aung Naing Moe 3


Security

R1(config)#access-list 102 permit tcp any any eq 80 time-range


ALLOWED_INTERNET

R2(config)#interface Ethernet0/0
R2(config-if)#ip access-group 101 out

Verification

R1#show access-lists
Extended IP access list 102
10 deny tcp any any eq www time-range DENIED_INTERNET (inactive)
20 permit tcp any any eq www time-range ALLOWED_INTERNET (inactive)
R1#

Show access-list န႔စစ္ၾကည္ဲ့တဲ့အခါ ACL က inactive ျဖစ္ေနတာကိို ေတြ႔ပ


ြ ါလိမ္ဲ့မယ္။
ဘာေၾကာင္ဲ့လ္ိိုေတာဲ့ ACL မွာ ေရးထားတဲ့ အခ်ိန္န႔ R1 မွာ လက္ရွိ အခ်ိန္က မတလိို႔
ျဖစ္ပါတယ္။ အခ်ိန္ကိိုစစ္ၾကညဲ့္ပါ။

R1#sh clock
*08:26:14.315 UTC Thu Mar 29 2018
R1#
R1#clock set 10:00:00 20 August 2018
R1#show clock
10:00:29.268 UTC Mon Aug 20 2018
R1#

R1#show access-lists
Extended IP access list 102
10 deny tcp any any eq www time-range DENIED_INTERNET (active)
20 permit tcp any any eq www time-range ALLOWED_INTERNET (inactive)

4 Aung Naing Moe


Security

Task 2
 Configure R2 using the following policy:
 Outgoing telnet traffic should only be denied between the hours of 11:00
AM and 2:00 PM, Monday to Friday.
 Outgoing HTTP traffic should be denied Monday to Friday, between the
hours of 9:00 AM and 2:00 PM starting March 29th 2018 to April 24th 2018.
 Any other traffic should be denied.Ensure that the access-list is applied
outbound on their E0/0 interface.

Task 2 solution
R2
R2(config)#time-range AMS_TELNET
R2(config-time-range)#periodic weekdays 11:00 to 14:00
R2(config-time-range)#exit

R2(config)#time-range AMS_HTTP
R2(config-time-range)#absolute start 00:00 29 March 2018 end 23:59 29 April
2018
R2(config-time-range)#exit

R2(config)#access-list 102 deny tcp any any eq 23 time-range AMS_TELNET


R2(config)#access-list 102 permit tcp any any eq 23
R2(config)#access-list 102 deny tcp any any eq www time-range AMS_HTTP
R2(config)#access-list 102 permit tcp any any eq 80

R2(config)#interface Ethernet0/0
R2(config-if)#ip access-group 101 out

Aung Naing Moe 5


Security

Verification
R2#show access-lists
Extended IP access list 102
10 deny tcp any any eq telnet time-range AMS_TELNET (inactive)
20 permit tcp any any eq telnet
30 deny tcp any any eq www time-range AMS_HTTP (active)
40 permit tcp any any eq www
R2#
telnet န႔ပက္သက္တဲ့ ACL က inactive ျဖစ္ေနပါတယ္။ ဒါေၾကာင္ဲ့ clock ကိိုစစ္ၾကညဲ့္ပါဲ့မယ္။

R2#show clock
*09:23:08.361 EET Thu Mar 29 2018
R2(config)#clock timezone UTC 6 30
Clock ကိို YGN time zone ကိို ေျပာင္းလိိုက္ပါတယ္။ ျပန္စစ္ၾကညဲ့္ပါ။
အ္င္ေျပသြားပါလိမ္ဲ့မယ္။

R2#show access-lists
Extended IP access list 102
10 deny tcp any any eq telnet time-range AMS_TELNET (active)
20 permit tcp any any eq telnet
30 deny tcp any any eq www time-range AMS_HTTP (active)
40 permit tcp any any eq www
R2#

6 Aung Naing Moe

You might also like