User's Manual

Table Of Contents
Configuration Guide of XGS-5240-Series
55-4
Configuration example:
1) First, configure a timerange, the valid time is the working hours of working day:
Switch(config)#time-range t1
Switch(config-time-range-t1)#periodic weekdays 9:00:00 to 12:00:00
Switch(config-time-range-t1)#periodic weekdays 13:00:00 to 18:00:00
2) Configure the extended acl_a of IP, at working hours it only allows to access the re
source within the internal network (such as 192.168.0.255).
Switch(config)# ip access-list extended vacl_a
Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.0.0 0.0.0.255 time-range t
1
Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination time-range t1
3) Configure the extended acl_b of IP, at any time it only allows to access resource wi
thin the internal network (such as 192.168.1.255).
Switch(config)#ip access-list extended vacl_b
Switch(config-ip-ext-nacl-vacl_a)# permit ip any-source 192.168.1.0 0.0.0.255
Switch(config-ip-ext-nacl-vacl_a)# deny ip any-source any-destination
4) Apply the configuration to VLAN
Switch(config)#vacl ip access-group vacl_a in vlan 1
Switch(config)#vacl ip access-group vacl_b in vlan 2
55.4 VLAN-ACL Troubleshooting
When VLAN ACL and Port ACL are configured at the same time, the principle of
denying firstly is used. When the packets match VLAN ACL and Port ACL at the s
ame time, as long as one rule is drop, then the final action is drop.
Each ACL of different types can only apply one on a VLAN, such as the basic IP
ACL, each VLAN can applies one only.