OSPF_Base_Topology

I’m was going to wait for the NTP part of the course to go through this, but since it looks like ACL material finishes with this I will use the time-range command for now rather than synchronizing the network to an NTP server.

A bit of a refresher from CCNA material, but it can’t help to get a refresh on subjects when it comes to Cisco. Time based ACL’s are exactly what they sound like, ACL’s that are only active during the period of time they are set for. This, however, implies that you have the correct time set on your network device which is where the “time-range” command comes in.

So you can set multiple time ranges on a router, as each time you enter “time-range (word)” it will drop you into time-range configure mode. I will work just between R5 and R1 to demonstrate how this works, and have removed the ACL’s from the previous lab so we get a fresh start! So we will start on R1 with our time-range setting and explanations:

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#time-range ?
WORD  Time range name

R1(config)#time-range CCNP ?
<cr>

R1(config)#time-range CCNP
R1(config-time-range)#?
Time range configuration commands:
absolute  absolute time and date
default   Set a command to its defaults
exit      Exit from time-range configuration mode
no        Negate a command or set its defaults
periodic  periodic time and date

R1(config-time-range)#

As can be seen, we are now in time-range configuration mode, so I did ? to see what are options are and there are only two we need to concern ourselves with – absolute and periodic.

Absolute time-range’s are static starting at this time and ending at this time with no recurrence options which makes it not ideal for most situations, but I’ll demonstrate what it looks like with the ? output to show you the modifiers to go with it:

R1(config-time-range)#absolute ?
  end    ending time and date
  start  starting time and date

R1(config-time-range)#absolute start ?
  hh:mm  Starting time

R1(config-time-range)#absolute start 18:00 ?
  <1-31>  Day of the month

R1(config-time-range)#absolute start 18:00 15 ?
  MONTH  Month of the year [eg: Jan for January, Jun for June]

R1(config-time-range)#absolute start 18:00 15 Mar ?
  <1993-2035>  Year

R1(config-time-range)#absolute start 18:00 15 Mar 2017 ?
  end  ending time and date
  <cr>

R1(config-time-range)#absolute start 18:00 15 Mar 2017 end ?
  hh:mm  Ending time – stays valid until beginning of next minute

R1(config-time-range)#absolute start 18:00 15 Mar 2017 end

A couple of things to note here, after the year 2035, no more timed ACL’s according to IOS so get em while the getting is good. Seriously though, it’s very straight forward, and as can be seen at the end there that you can place the end of the time on the same command or enter it with “absolute end …” and do note it does stay active until the next minute!

I am not exactly sure what purpose this would serve unless you perhaps had a consultant coming in from x time and leaving y time, and don’t want them to access certain things in that range only and be done with it. Either way, that is not our scenario, so lets move on to period time-range’s:

R1(config-time-range)#periodic ?
  Friday     Friday
  Monday     Monday
  Saturday   Saturday
  Sunday     Sunday
  Thursday   Thursday
  Tuesday    Tuesday
  Wednesday  Wednesday
  daily      Every day of the week
  weekdays   Monday thru Friday
  weekend    Saturday and Sunday

R1(config-time-range)#periodic weekdays ?
  hh:mm  Starting time

R1(config-time-range)#periodic weekdays 08:00 ?
  to  ending day and time

R1(config-time-range)#periodic weekdays 08:00 to 17:00 ?
  <cr>

R1(config-time-range)#periodic weekdays 08:00 to 17:00
R1(config-time-range)#

I love the options, the simplicity of setting the values, and that Cisco was human enough to put “weekdays” and “weekends” as values so you don’t have to add ranges for each separate weekday or weekend day.

So I set mine with that period command, so whatever ACL I apply that to is open for business the same time I am, M-F 8am-5pm (though we may need to tweak some times on the routers to demonstrate some reactions and output).

So we now have a time range, and here is how to view it:

R1#sh time-range
time-range entry: CCNP (inactive)
   periodic weekdays 8:00 to 17:00
R1#

If you have more than one it will show all of them, but it will also show which ones are active and inactive, which can be a way to tell what time it is or isn’t loosely on a router on exam day if asked what time of day it is on the router. Speaking of time on routers, and since we are in User Exec mode which really surprised me this is where it gets configured, lets set the time for R1 and R5 simultaneously since we are not doing an NTP lab just yet:

R1#clock set ?
  hh:mm:ss  Current Time

R1#clock set 16:04:00 ?
  <1-31>  Day of the month
  MONTH   Month of the year

R1#clock set 16:04:00 15 ?
  MONTH  Month of the year

R1#clock set 16:04:00 15 Mar ?
  <1993-2035>  Year

R1#clock set 16:04:00 15 Mar 2017 ?
  <cr>

R1#clock set 16:04:00 15 Mar 2017
R1#
*Mar 15 16:04:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 23:05:02 UTC Fri Mar 1 2002 to 16:04:00 UTC Wed Mar 15 2017, configured from console by console.
R1#
ASR#5
[Resuming connection 5 to r5 … ]

R5#clock set 16:04:00 15 Mar 2017
R5#
*Mar 15 16:04:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 23:58:24 UTC Wed Mar 15 2017 to 16:04:00 UTC Wed Mar 15 2017, configured from console by console.
R5#

I am not in the UTC time zone, but I will address changing that in the NTP lab, as I have set up IOS devices to be NTP Servers for networks and I don’t want to pile extra stuff onto this lab tonight, however our routers are about as close as I could get them to the correct time.

ONE MAJOR THING TO NOTE, THE CLOCK IS SET IN USER EXEC MODE, NOT GLOBAL CONFIG MODE WHICH I THOUGHT WAS VERY WEIRD, SO WATCH THAT ON EXAM DAY!

Ok, so we have a time range, clocks are set, and we can verify this with a quick “sh clock”:

R1#sh clock
16:08:04.536 UTC Wed Mar 15 2017
R1#

Now let’s make an access-list using this time range, and I’ll make it for telnet to demonstrate how to limit access to routers when “not needed” as though such a thing exists in the real world:

 

R1(config)#access-list 123 deny ?
  <0-255>  An IP protocol number
  ahp      Authentication Header Protocol
  eigrp    Cisco’s EIGRP routing protocol
  esp      Encapsulation Security Payload
  gre      Cisco’s GRE tunneling
  icmp     Internet Control Message Protocol
  igmp     Internet Gateway Message Protocol
  ip       Any Internet Protocol
  ipinip   IP in IP tunneling
  nos      KA9Q NOS compatible IP over IP tunneling
  ospf     OSPF routing protocol
  pcp      Payload Compression Protocol
  pim      Protocol Independent Multicast
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

R1(config)#access-list 123 deny tcp ?
  A.B.C.D  Source address
  any      Any source host
  host     A single source host

R1(config)#access-list 123 deny tcp any ?
  A.B.C.D  Destination address
  any      Any destination host
  eq       Match only packets on a given port number
  gt       Match only packets with a greater port number
  host     A single destination host
  lt       Match only packets with a lower port number
  neq      Match only packets not on a given port number
  range    Match only packets in the range of port numbers

R1(config)#access-list 123 deny tcp any any ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  eq           Match only packets on a given port number
  established  Match established connections
  fin          Match on the FIN bit
  fragments    Check non-initial fragments
  gt           Match only packets with a greater port number
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  lt           Match only packets with a lower port number
  neq          Match only packets not on a given port number
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  range        Match only packets in the range of port numbers
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  urg          Match on the URG bit
  <cr>

R1(config)#access-list 123 deny tcp any any eq ?
  <0-65535>    Port number
  bgp          Border Gateway Protocol (179)
  chargen      Character generator (19)
  cmd          Remote commands (rcmd, 514)
  daytime      Daytime (13)
  discard      Discard (9)
  domain       Domain Name Service (53)
  drip         Dynamic Routing Information Protocol (3949)
  echo         Echo (7)
  exec         Exec (rsh, 512)
  finger       Finger (79)
  ftp          File Transfer Protocol (21)
  ftp-data     FTP data connections (20)
  gopher       Gopher (70)
  hostname     NIC hostname server (101)
  ident        Ident Protocol (113)
  irc          Internet Relay Chat (194)
  klogin       Kerberos login (543)
  kshell       Kerberos shell (544)
  login        Login (rlogin, 513)
  lpd          Printer service (515)
  nntp         Network News Transport Protocol (119)
  pim-auto-rp  PIM Auto-RP (496)
  pop2         Post Office Protocol v2 (109)
  pop3         Post Office Protocol v3 (110)
  smtp         Simple Mail Transport Protocol (25)
  sunrpc       Sun Remote Procedure Call (111)
  syslog       Syslog (514)
  tacacs       TAC Access Control System (49)
  talk         Talk (517)
  telnet       Telnet (23)
  time         Time (37)
  uucp         Unix-to-Unix Copy Program (540)
  whois        Nicname (43)
  www          World Wide Web (HTTP, 80)

R1(config)#access-list 123 deny tcp any any eq 23 ?
  ack          Match on the ACK bit
  dscp         Match packets with given dscp value
  established  Match established connections
  fin          Match on the FIN bit
  log          Log matches against this entry
  log-input    Log matches against this entry, including input interface
  precedence   Match packets with given precedence value
  psh          Match on the PSH bit
  rst          Match on the RST bit
  syn          Match on the SYN bit
  time-range   Specify a time-range
  tos          Match packets with given TOS value
  urg          Match on the URG bit
  <cr>

R1(config)#access-list 123 deny tcp any any eq 23 time-range ?
  WORD  Time-range entry name

R1(config)#access-list 123 deny tcp any any eq 23 time-range CCNP
R1(config)#

LOTS of output, but I wanted to demonstrate a few things, and I’ve also highlighted in red all the commands that I used to create the ACL along the way.

First I wanted to demonstrate that since it is telnet, I used “tcp” instead of just “ip” traffic as we don’t need that general of a statement. Next I used any any because we will be applying this to our VTY lines for telnet access control, so the source and destination can be any as the connection might come from anywhere to here so no need to split hairs when its not needed.

Next and this is a big one, I’m not sure if this still works, but you used to be able to create an ACL and type eq ? at the end to get a list of port #’s to help you along the test if you forget a certain port #. If you get a simulator or something that allows this, it may be worth doing this once quick and jotting some down you don’t have committed to memory moving forward through the test it might just save your ass.

Finally after eq, I could have put telnet or 23, I personally always use port numbers to keep them fresh in  my head but you can put the service name if listed as well and that is a valid command. Finally the time-range is added onto the end of the ACL. Now lets check it out:

R1#sh access-list
Extended IP access list 123
    10 deny tcp any any eq telnet time-range CCNP (active)
R1#sh time-range
time-range entry: CCNP (active)
   periodic weekdays 8:00 to 17:00
   used in: IP ACL entry
R1#sh clock
16:21:50.366 UTC Wed Mar 15 2017
R1#

I was expecting it to say (Inactive) there, but I forgot the UTC thing, so lets go for the final step which is configuring it in telnet or more specifically on the VTY line configuration:

R1(config)#line vty 0 4
R1(config-line)#access-group ?
% Unrecognized command
R1(config-line)#access-class ?
  <1-199>      IP access list
  <1300-2699>  IP expanded access list
  WORD         Access-list name

R1(config-line)#access-class 123 ?
  in   Filter incoming connections
  out  Filter outgoing connections

R1(config-line)#access-class 123 in ?
  vrf-also  Same access list is applied for all VRFs
  <cr>

R1(config-line)#access-class 123 in
R1(config-line)#

(Quick note at the end of the access-class command, it can be applied to non-global VRF route tables as well, worth noting while on the subject)

I highlighted what I put in, and what was correct for a reason, because it’s so easy to mess up like I just did. Access-group is on interfaces, and access-class will always be for VTY line configuration of applying ACL’s. Notice we also had to define in our out, so because this router will be receiving the telnet connections, I specified “in” as my modifier option.

So one more time, access-class = applying ACL to vty lines, followed by ACL # and in/out.

Now that we have this all configured and everything seems to be working great, lets go to R5 and give our new found access-list a go:

R5#telnet 172.12.15.1
Trying 172.12.15.1 …
% Connection refused by remote host

R5#

Wow, duh, I put DENY on my ACL. Let me change that and try it again here:

R1(config)#no access-list 123 deny tcp any any eq 23 time-range CCNP
R1(config)#access-list 123 permit tcp any any eq 23 time-range CCNP
R1(config)#
ASR#5
[Resuming connection 5 to r5 … ]

R5#telnet 172.12.15.1
Trying 172.12.15.1 … Open

User Access Verification

Password:
R1>en
Password:
R1#

Works much better when you PERMIT telnet access during the hours you want it available, eh? Now lets throw a wrench into the mix, while telnet’d into R1 I am going to change the routers time to be outside the time-range and see if that immediately boots me out:

R1#clock set 22:31:45 15 mar 2017
R1#sh time-range
time-range entry: CCNP (inactive)
   periodic weekdays 8:00 to 17:00
   used in: IP ACL entry
R1#sh access-list
Extended IP access list 123
    10 permit tcp any any eq telnet time-range CCNP (inactive) (2 matches)
R1#
R1#
R1#exit

[Connection to 172.12.15.1 closed by foreign host]
R5#telnet 172.12.15.1
Trying 172.12.15.1 …
% Connection refused by remote host

R5#

There are a couple very important real world lessons here:

  • ACL’s will only block connection attempts after they are set, they will not break current connection attempts, so we would need to manually clear that vty line to kick the user out so to say – This is for any connection on any firewall basically at all in the real world so keep this very important concept in mind
  • This brings up the “no exec-t” command that is great for labs, but if the user never gets kicked out after so long idle, they have a loophole around that time-range
  • Notice the ACL says (inactive) – That is because the time-range is not engaged and using the ACL at the moment!

I have personally accidentally deleted ACL’s that showed inactive because I didn’t know that meant it was on a time-range schedule (or what it meant at all), so do not as I do, an (Inactive) ACL is not an unused ACL!

That completes this post and I think about wraps up ACL’s, we’ve been using them on other topics so hopefully they’re comfortable with CCNP candidates reading this by now.

Next up is going to be a bit more CCNA type of material, but for thorough sake you bet your beehive I will write up a quick refresher post on that as well, it’s nice to get a break in with basically refresher material right before I hit the BGP section (which I am oddly looking forward to).

If I don’t see ya, good afternoon, good evening, and good night!