-
Cisco 10000 Series Router Software Configuration Guide
-
About This Guide
-
Broadband Aggregation and Leased-Line Overview
-
Scalability and Performance
-
Configuring Remote Access to MPLS VPN
-
Configuring Multiprotocol Label Switching
-
Configuring the Layer 2 Tunnel Protocol Access Concentrator and Network Server
-
Configuring PPPoE over Ethernet and IEEE 802.1Q VLAN
-
Configuring IP Unnumbered on IEEE 802.1Q VLANs
-
Configuring ATM Permanent Virtual Circuit Autoprovisioning
-
Configuring the Multihop Feature
-
Configuring Address Pools
-
Configuring Local AAA Server, User Database--Domain to VRF
-
Configuring Traffic Filtering
-
Unicast Reverse Path Forwarding
-
Configuring Automatic Protection Switching
-
Configuring IP Multicast
-
Configuring RADIUS Features
-
Cisco 10000 Series Router PXF Stall Monitor
-
SSO - BFD
-
Configuring Link Noise Monitoring
-
Configuring L2 Virtual Private Networks
-
Configuring L2VPN Interworking
-
Configuring Multilink Point-to-Point Protocol Connections
-
Configuring Gigabit EtherChannel Features
-
Configuring IP Version 6
-
Configuring Template ACLs
-
Protecting the Router from DoS Attacks
-
IP Tunneling
-
RADIUS Attributes
-
Glossary
-
Feedback
Table Of Contents
Feature History for IP Receive ACLs
Restrictions for IP Receive ACLs
Configuration Tasks for IP Receive ACLs
Configuration Example for IP Receive ACLs
Feature History for Time-Based ACLs
Restrictions for Time-Based ACLs
Configuration Tasks for Time-Based ACLs
Applying a Time Range to a Numbered Access Control List
Applying a Time Range to a Named Access Control List
Monitoring and Maintaining Time-Based ACLs
Configuration Examples for Time-Based ACLs
Configuring Traffic Filtering
The Cisco 10000 series router provides traffic filtering capabilities using access control lists (ACLs). Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. Using ACLs, you can do such things as restrict the contents of routing updates, provide traffic flow control, and provide security for your network.
The Cisco 10000 series router supports the following ACL types and features:
•
Standard and extended ACLs
•
•
•
•
•
For more information about ACLs, see the following documents:
•
•
This chapter describes the following features:
IP Receive ACLs
The IP Receive ACLs feature provides basic filtering capability for traffic that is destined for the router and protects the router from remote intrusions.
To restrict access to the router, you apply a numbered ACL to the ingress interface of the router. You can restrict access to the router to known and trusted sources, and to expected traffic profiles. The IP Receive ACLs feature supports both standard and extended ACLs. The rules for numbered ACLs also apply to the access control entries (ACEs) of the IP receive ACL.
The IP receive ACL filters traffic on the parallel express forwarding engine (PXF) before filtering the packets received by the route processor (RP). This feature protects the router from denial of service (DoS) floods, thereby preventing the flood from degrading the performance of the route processor (RP).
The IP Receive ACLs feature is described in the following topics:
•
•
•
•
Feature History for IP Receive ACLs
12.3(7)XI1
This feature was introduced on the Cisco 10000 series router.
PRE2
Restrictions for IP Receive ACLs
The IP receive ACLs feature has the following restrictions:
•
•
•
•
Configuration Tasks for IP Receive ACLs
To configure the IP Receive ACLs feature, perform the following configuration tasks:
Configuring Receive ACLs
To configure receive ACLs, enter the following commands beginning in global configuration mode:
Verifying Receive ACLs
To verify the configuration of receive ACLs, enter any of the following commands in privileged EXEC mode:
Configuration Example for IP Receive ACLs
Example 12-1 shows how to configure an extended IP receive ACL. The ACEs of this numbered ACL (100) do the following:
•
•
•
•
•
•
Example 12-1 Receive ACL Configuration
ip receive access-list 100access-list 100 deny icmp any any fragmentsaccess-list 100 permit icmp any any echoaccess-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 22access-list 100 permit ospf any any precedence internetaccess-list 100 permit tcp host 10.0.0.1 any eq bgp precedence internetaccess-list 100 deny ip any anyTime-Based ACLs
The Time-based ACLs feature allows the network administrator to define a time range when certain resources may be accessed, thus providing greater control over resource usage.
While functionally similar to extended ACLs, time-based ACLs control access to the router for a specific time period. A time range, identified by a name, defines the specific times of the day and week that the ACL is active. The access control entries (ACEs) reference the time range name, which imposes the time restriction on the ACEs. The time range relies on router's system clock to activate or deactivate an ACE.
Previously, access list statements were always in effect after they were applied to an interface. However, using the time-range command, network administrators can now define when the permit and deny statements in the ACL are in effect. Both named and numbered access lists can reference a time range.
When you create a time range, you can specify both absolute and periodic time entries. The periodic command in time-range configuration mode allows you to specify the days of the week and the time of day that the access control entry (ACE) is active. The absolute command in time-range configuration mode allows you to specify a specific time and date to activate the ACE and a specific time and date to stop processing the ACE. You can specify only one absolute entry for each time range. During ACL processing, the router begins evaluating the time range entry attached to the ACE after it reaches the absolute start time. The router then evaluates the periodic values until the router reaches the absolute end entry. No further processing occurs after the router reaches the absolute end value.
The Tine-based ACLs feature is described in the following topics:
•
•
•
•
•
Feature History for Time-Based ACLs
12.3(7)XI1
This feature was introduced on the Cisco 10000 series router.
PRE2
12.2(28)SB
This feature was integrated into Cisco IOS Release 12.2(28)SB.
PRE2
Restrictions for Time-Based ACLs
The Time-Based ACLs feature has the following restrictions:
•
•
•
Configuration Tasks for Time-Based ACLs
To configure the Time-Based ACLs feature, perform the following configuration tasks:
•
•
Creating a Time Range
To create a time range, enter the following commands beginning in global configuration mode:
Example 12-2 creates a periodic time range named no-http that specifies Monday through Friday from 8:00 a.m. to 6:00 p.m.
Example 12-2 Configuring a Time Range
Router(config)# time-range no-httpRouter(config-time-range)# periodic weekdays 8:00 to 18:00Example 12-3 creates a time range named HTTP that specifies both periodic and absolute values. During ACL processing, the router assumes that the time period begins right now because the absolute command does not specify a start value. The router then evaluates the periodic value, which indicates that the time period is restricted to Monday through Wednesday from 8:00 a.m. to 7:00 p.m. The time period ends on February 6 at 11:59 p.m.
Example 12-3 Configuring a Time Range with Periodic and Absolute Entries
Router(config)# time-range httpRouter(config-t-range)# periodic monday 8:00 to wednesday 19:00Router(config-t-range)# absolute end 23:59 6 February 2000Applying a Time Range to a Numbered Access Control List
To apply a time range to the access control entries (ACEs) of a numbered extended access control list (ACL), enter the following commands beginning in global configuration mode:
Example 12-4 permits SMTP traffic to the access the mail host (128.88.1.2) on Monday through Sunday between the hours of 5:00 a.m. and 11:59 p.m, if the traffic belongs to an already established connection. The example creates the time range named smtp and applies it to the ACE of the extended access list numbered 102. The time-based ACL is then applied to the ingress serial 0 interface.
Example 12-4 Applying a Time Range to a Numbered ACL
Router(config)# time-range smtpRouter(config-time-range)# periodic daily 5:00 to 23:59Router(config)# access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 establishedRouter(config)# access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25 time-range smtpRouter(config)# interface serial 0Router(config-if)# ip access-group 102 inApplying a Time Range to a Named Access Control List
To apply a time range to a named extended access control list (ACL), enter the following commands beginning in global configuration mode:
Example 12-5 denies FTP traffic on Monday through Sunday between the hours of 9:00 a.m. and 3:00 p.m. The example creates the time range named no-ftp and applies it to the ACE of the extended IP access list named I. The time-based ACL is then applied to the ingress Ethernet 0 interface.
Example 12-5 Applying a Time Range to a Named ACL
Router(config)# time-range no-ftpRouter(config-time-range)# periodic daily 9:00 to 15:00Router(config)# ip access-list extended strictRouter(config-ext-nacl)# deny tcp any any eq 21 time-range no-ftpRouter(config-ext-nacl)# exitRouter(config)# interface ethernet 0Router(config-if)# ip access-group strict inMonitoring and Maintaining Time-Based ACLs
To monitor and maintain time-based ACLs, enter any of the following commands in privileged EXEC mode:
Configuration Examples for Time-Based ACLs
The following example permits Telnet connections from the 10.1.1.0 network to the 172.16.1.0 network on Monday, Wednesday, and Friday during the business hours.
time-range EVERYOTHERDAYperiodic Monday Wednesday Friday 8:00 to 17:00!access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range EVERYOTHERDAY!interface Ethernet0/0ip address 10.1.1.1 255.255.255.0ip access-group 101 inThe following example permits SMTP traffic from all networks to indefinitely access all networks beginning at 12:00 p.m. on January 1, 2001.
time-range foreverabsolute start 12:00 1 January 2001!ip access-list extended alluserspermit tcp any any eq 25 time-range foreverThe following example permits UDP traffic until noon on December 31, 2000. The ACL entry will no longer allow UDP traffic after that date and time.
time-range stop-udpabsolute end 12:00 31 December 2000!ip access-list extended usapermit udp any any time-range stop-udpThe following configuration example permits telnet traffic on Monday, Tuesday, and Friday from 9:00 a.m. and 5:00 p.m.:
time-range telnetperiodic Monday Tuesday Friday 9:00 to 17:00!ip access-list extended camdenpermit tcp any any eq telnet time-range telnetThe following configuration example permits UDP traffic on Saturday and Sunday from 8:00 a.m. on January 1, 1999 to 6:00 p.m. on December 31, 2001:
time-range udpabsolute start 8:00 1 January 1999 end 18:00 31 December 2001periodic weekends 00:00 to 23:59!ip access-list extended boothbaypermit udp any any time-range udp