Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-Time range configuration | 64.48 KB |
Contents
Restrictions and guidelines: Time range configuration
Specifying a tenant for a time range
Display and maintenance commands for time ranges
Time range configuration examples
Example: Configuring a time range
Configuring time ranges
About time ranges
You can implement a service based on the time of the day by applying a time range to it. A time-based service takes effect only in time periods specified by the time range. For example, you can implement time-based ACL rules by applying a time range to them.
The following basic types of time ranges are available:
· Periodic time range—Recurs periodically on a weekly or monthly basis.
· Absolute time range—Represents only a period of time and does not recur.
The active period of a time range is calculated as follows:
1. Combining all periodic statements.
2. Combining all absolute statements.
3. Taking the intersection of the two statement sets as the active period of the time range.
Restrictions and guidelines: Time range configuration
When you configure the ACL hardware mode, follow these restrictions and guidelines:
· If a time range does not exist, the service based on the time range does not take effect.
· You can create a maximum of 1024 time ranges, each with a maximum of 32 periodic statements and 12 absolute statements.
Configuring a time range
1. Enter system view.
system-view
2. Create or edit a time range.
time-range time-range-name { { monthly | weekly } start-day start-time to end-day end-time [ from time1 date1 ] [ to time2 date2 ] | start-time to end-time days [ from time1 date1 ] [ to time2 date2 ] | from time1 date1 [ to time2 date2 ] | to time2 date2 }
If an existing time range name is provided, this command adds a statement to the time range.
3. (Optional.) Configure a description for the time range.
time-range time-range-name description text
By default, a time range does not have a description.
Specifying a tenant for a time range
About this task
In a yundi scenario, a large number of tenants exist, and the controller assigns each tenant a unique tenant ID and deploys tenant IDs and associated time ranges to firewalls through NETCONF. A firewall generates this command based on the deployed information to make the security policy of the tenant take effect only during the time range. If the time range associated with a tenant does not exist, the system creates a new time range.
Restrictions and guidelines
Tenant IDs are typically assigned by the controller. As a best practice, do not configure this feature on the device.
A time range can be associated with only one tenant.
A tenant can be associated with multiple time ranges. The time range that takes effect is the intersection of all the time ranges.
Procedure
1. Enter system view.
system-view
2. Specify a tenant for a time range.
time-range time-range-name yundi alias alias-name tenant tenant-id
By default, a time range does not belong to any tenant. The security policy of the tenant is always in effect.
Display and maintenance commands for time ranges
Execute the display command in any view.
|
Task |
Command |
|
Display time range configuration and status. |
display time-range { time-range-name | all } |
Time range configuration examples
Example: Configuring a time range
Network configuration
As shown in Figure 1, configure an ACL on the device to allow Host A to access the server only during 8:00 and 18:00 on working days from June 2015 to the end of the year.
Procedure
# Create a periodic time range during 8:00 and 18:00 on working days from June 2015 to the end of the year.
<Device> system-view
[Device] time-range work 8:0 to 18:0 working-day from 0:0 6/1/2015 to 24:00 12/31/2015
# Create an IPv4 basic ACL numbered 2001, and configure a rule in the ACL to permit packets only from 192.168.1.2/32 during the time range work.
[Device] acl basic 2001
[Device-acl-ipv4-basic-2001] rule permit source 192.168.1.2 0 time-range work
[Device-acl-ipv4-basic-2001] rule deny source any time-range work
[Device-acl-ipv4-basic-2001] quit
# Apply IPv4 basic ACL 2001 to filter outgoing packets on GigabitEthernet 1/0/2.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] packet-filter 2001 outbound
[Device-GigabitEthernet1/0/2] quit
Verifying the configuration
# Verify that the time range work is active on the device.
[Device] display time-range all
Current time is 13:58:35 6/19/2015 Friday
Time-range : work (Active)
08:00 to 18:00 working-day
from 00:00:00 6/1/2015 to 00:00:00 1/1/2016
