I’m was going to wait for the NTP part of the course to go through this, but since it looks like ACL material finishes with this I will use the time-range command for now rather than synchronizing the network to an NTP server.
A bit of a refresher from CCNA material, but it can’t help to get a refresh on subjects when it comes to Cisco. Time based ACL’s are exactly what they sound like, ACL’s that are only active during the period of time they are set for. This, however, implies that you have the correct time set on your network device which is where the “time-range” command comes in.
So you can set multiple time ranges on a router, as each time you enter “time-range (word)” it will drop you into time-range configure mode. I will work just between R5 and R1 to demonstrate how this works, and have removed the ACL’s from the previous lab so we get a fresh start! So we will start on R1 with our time-range setting and explanations:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#time-range ?
WORD Time range name
R1(config)#time-range CCNP ?
<cr>
R1(config)#time-range CCNP
R1(config-time-range)#?
Time range configuration commands:
absolute absolute time and date
default Set a command to its defaults
exit Exit from time-range configuration mode
no Negate a command or set its defaults
periodic periodic time and date
R1(config-time-range)#
As can be seen, we are now in time-range configuration mode, so I did ? to see what are options are and there are only two we need to concern ourselves with – absolute and periodic.
Absolute time-range’s are static starting at this time and ending at this time with no recurrence options which makes it not ideal for most situations, but I’ll demonstrate what it looks like with the ? output to show you the modifiers to go with it:
R1(config-time-range)#absolute ?
end ending time and date
start starting time and date
R1(config-time-range)#absolute start ?
hh:mm Starting time
R1(config-time-range)#absolute start 18:00 ?
<1-31> Day of the month
R1(config-time-range)#absolute start 18:00 15 ?
MONTH Month of the year [eg: Jan for January, Jun for June]
R1(config-time-range)#absolute start 18:00 15 Mar ?
<1993-2035> Year
R1(config-time-range)#absolute start 18:00 15 Mar 2017 ?
end ending time and date
<cr>
R1(config-time-range)#absolute start 18:00 15 Mar 2017 end ?
hh:mm Ending time – stays valid until beginning of next minute
R1(config-time-range)#absolute start 18:00 15 Mar 2017 end
A couple of things to note here, after the year 2035, no more timed ACL’s according to IOS so get em while the getting is good. Seriously though, it’s very straight forward, and as can be seen at the end there that you can place the end of the time on the same command or enter it with “absolute end …” and do note it does stay active until the next minute!
I am not exactly sure what purpose this would serve unless you perhaps had a consultant coming in from x time and leaving y time, and don’t want them to access certain things in that range only and be done with it. Either way, that is not our scenario, so lets move on to period time-range’s:
R1(config-time-range)#periodic ?
Friday Friday
Monday Monday
Saturday Saturday
Sunday Sunday
Thursday Thursday
Tuesday Tuesday
Wednesday Wednesday
daily Every day of the week
weekdays Monday thru Friday
weekend Saturday and Sunday
R1(config-time-range)#periodic weekdays ?
hh:mm Starting time
R1(config-time-range)#periodic weekdays 08:00 ?
to ending day and time
R1(config-time-range)#periodic weekdays 08:00 to 17:00 ?
<cr>
R1(config-time-range)#periodic weekdays 08:00 to 17:00
R1(config-time-range)#
I love the options, the simplicity of setting the values, and that Cisco was human enough to put “weekdays” and “weekends” as values so you don’t have to add ranges for each separate weekday or weekend day.
So I set mine with that period command, so whatever ACL I apply that to is open for business the same time I am, M-F 8am-5pm (though we may need to tweak some times on the routers to demonstrate some reactions and output).
So we now have a time range, and here is how to view it:
R1#sh time-range
time-range entry: CCNP (inactive)
periodic weekdays 8:00 to 17:00
R1#
If you have more than one it will show all of them, but it will also show which ones are active and inactive, which can be a way to tell what time it is or isn’t loosely on a router on exam day if asked what time of day it is on the router. Speaking of time on routers, and since we are in User Exec mode which really surprised me this is where it gets configured, lets set the time for R1 and R5 simultaneously since we are not doing an NTP lab just yet:
R1#clock set ?
hh:mm:ss Current Time
R1#clock set 16:04:00 ?
<1-31> Day of the month
MONTH Month of the year
R1#clock set 16:04:00 15 ?
MONTH Month of the year
R1#clock set 16:04:00 15 Mar ?
<1993-2035> Year
R1#clock set 16:04:00 15 Mar 2017 ?
<cr>
R1#clock set 16:04:00 15 Mar 2017
R1#
*Mar 15 16:04:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 23:05:02 UTC Fri Mar 1 2002 to 16:04:00 UTC Wed Mar 15 2017, configured from console by console.
R1#
ASR#5
[Resuming connection 5 to r5 … ]
R5#clock set 16:04:00 15 Mar 2017
R5#
*Mar 15 16:04:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 23:58:24 UTC Wed Mar 15 2017 to 16:04:00 UTC Wed Mar 15 2017, configured from console by console.
R5#
I am not in the UTC time zone, but I will address changing that in the NTP lab, as I have set up IOS devices to be NTP Servers for networks and I don’t want to pile extra stuff onto this lab tonight, however our routers are about as close as I could get them to the correct time.
ONE MAJOR THING TO NOTE, THE CLOCK IS SET IN USER EXEC MODE, NOT GLOBAL CONFIG MODE WHICH I THOUGHT WAS VERY WEIRD, SO WATCH THAT ON EXAM DAY!
Ok, so we have a time range, clocks are set, and we can verify this with a quick “sh clock”:
R1#sh clock
16:08:04.536 UTC Wed Mar 15 2017
R1#
Now let’s make an access-list using this time range, and I’ll make it for telnet to demonstrate how to limit access to routers when “not needed” as though such a thing exists in the real world:
R1(config)#access-list 123 deny ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco’s EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco’s GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
R1(config)#access-list 123 deny tcp ?
A.B.C.D Source address
any Any source host
host A single source host
R1(config)#access-list 123 deny tcp any ?
A.B.C.D Destination address
any Any destination host
eq Match only packets on a given port number
gt Match only packets with a greater port number
host A single destination host
lt Match only packets with a lower port number
neq Match only packets not on a given port number
range Match only packets in the range of port numbers
R1(config)#access-list 123 deny tcp any any ?
ack Match on the ACK bit
dscp Match packets with given dscp value
eq Match only packets on a given port number
established Match established connections
fin Match on the FIN bit
fragments Check non-initial fragments
gt Match only packets with a greater port number
log Log matches against this entry
log-input Log matches against this entry, including input interface
lt Match only packets with a lower port number
neq Match only packets not on a given port number
precedence Match packets with given precedence value
psh Match on the PSH bit
range Match only packets in the range of port numbers
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>
R1(config)#access-list 123 deny tcp any any eq ?
<0-65535> Port number
bgp Border Gateway Protocol (179)
chargen Character generator (19)
cmd Remote commands (rcmd, 514)
daytime Daytime (13)
discard Discard (9)
domain Domain Name Service (53)
drip Dynamic Routing Information Protocol (3949)
echo Echo (7)
exec Exec (rsh, 512)
finger Finger (79)
ftp File Transfer Protocol (21)
ftp-data FTP data connections (20)
gopher Gopher (70)
hostname NIC hostname server (101)
ident Ident Protocol (113)
irc Internet Relay Chat (194)
klogin Kerberos login (543)
kshell Kerberos shell (544)
login Login (rlogin, 513)
lpd Printer service (515)
nntp Network News Transport Protocol (119)
pim-auto-rp PIM Auto-RP (496)
pop2 Post Office Protocol v2 (109)
pop3 Post Office Protocol v3 (110)
smtp Simple Mail Transport Protocol (25)
sunrpc Sun Remote Procedure Call (111)
syslog Syslog (514)
tacacs TAC Access Control System (49)
talk Talk (517)
telnet Telnet (23)
time Time (37)
uucp Unix-to-Unix Copy Program (540)
whois Nicname (43)
www World Wide Web (HTTP, 80)
R1(config)#access-list 123 deny tcp any any eq 23 ?
ack Match on the ACK bit
dscp Match packets with given dscp value
established Match established connections
fin Match on the FIN bit
log Log matches against this entry
log-input Log matches against this entry, including input interface
precedence Match packets with given precedence value
psh Match on the PSH bit
rst Match on the RST bit
syn Match on the SYN bit
time-range Specify a time-range
tos Match packets with given TOS value
urg Match on the URG bit
<cr>
R1(config)#access-list 123 deny tcp any any eq 23 time-range ?
WORD Time-range entry name
R1(config)#access-list 123 deny tcp any any eq 23 time-range CCNP
R1(config)#
LOTS of output, but I wanted to demonstrate a few things, and I’ve also highlighted in red all the commands that I used to create the ACL along the way.
First I wanted to demonstrate that since it is telnet, I used “tcp” instead of just “ip” traffic as we don’t need that general of a statement. Next I used any any because we will be applying this to our VTY lines for telnet access control, so the source and destination can be any as the connection might come from anywhere to here so no need to split hairs when its not needed.
Next and this is a big one, I’m not sure if this still works, but you used to be able to create an ACL and type eq ? at the end to get a list of port #’s to help you along the test if you forget a certain port #. If you get a simulator or something that allows this, it may be worth doing this once quick and jotting some down you don’t have committed to memory moving forward through the test it might just save your ass.
Finally after eq, I could have put telnet or 23, I personally always use port numbers to keep them fresh in my head but you can put the service name if listed as well and that is a valid command. Finally the time-range is added onto the end of the ACL. Now lets check it out:
R1#sh access-list
Extended IP access list 123
10 deny tcp any any eq telnet time-range CCNP (active)
R1#sh time-range
time-range entry: CCNP (active)
periodic weekdays 8:00 to 17:00
used in: IP ACL entry
R1#sh clock
16:21:50.366 UTC Wed Mar 15 2017
R1#
I was expecting it to say (Inactive) there, but I forgot the UTC thing, so lets go for the final step which is configuring it in telnet or more specifically on the VTY line configuration:
R1(config)#line vty 0 4
R1(config-line)#access-group ?
% Unrecognized command
R1(config-line)#access-class ?
<1-199> IP access list
<1300-2699> IP expanded access list
WORD Access-list name
R1(config-line)#access-class 123 ?
in Filter incoming connections
out Filter outgoing connections
R1(config-line)#access-class 123 in ?
vrf-also Same access list is applied for all VRFs
<cr>
R1(config-line)#access-class 123 in
R1(config-line)#
(Quick note at the end of the access-class command, it can be applied to non-global VRF route tables as well, worth noting while on the subject)
I highlighted what I put in, and what was correct for a reason, because it’s so easy to mess up like I just did. Access-group is on interfaces, and access-class will always be for VTY line configuration of applying ACL’s. Notice we also had to define in our out, so because this router will be receiving the telnet connections, I specified “in” as my modifier option.
So one more time, access-class = applying ACL to vty lines, followed by ACL # and in/out.
Now that we have this all configured and everything seems to be working great, lets go to R5 and give our new found access-list a go:
R5#telnet 172.12.15.1
Trying 172.12.15.1 …
% Connection refused by remote host
R5#
Wow, duh, I put DENY on my ACL. Let me change that and try it again here:
R1(config)#no access-list 123 deny tcp any any eq 23 time-range CCNP
R1(config)#access-list 123 permit tcp any any eq 23 time-range CCNP
R1(config)#
ASR#5
[Resuming connection 5 to r5 … ]
R5#telnet 172.12.15.1
Trying 172.12.15.1 … Open
User Access Verification
Password:
R1>en
Password:
R1#
Works much better when you PERMIT telnet access during the hours you want it available, eh? Now lets throw a wrench into the mix, while telnet’d into R1 I am going to change the routers time to be outside the time-range and see if that immediately boots me out:
R1#clock set 22:31:45 15 mar 2017
R1#sh time-range
time-range entry: CCNP (inactive)
periodic weekdays 8:00 to 17:00
used in: IP ACL entry
R1#sh access-list
Extended IP access list 123
10 permit tcp any any eq telnet time-range CCNP (inactive) (2 matches)
R1#
R1#
R1#exit
[Connection to 172.12.15.1 closed by foreign host]
R5#telnet 172.12.15.1
Trying 172.12.15.1 …
% Connection refused by remote host
R5#
There are a couple very important real world lessons here:
- ACL’s will only block connection attempts after they are set, they will not break current connection attempts, so we would need to manually clear that vty line to kick the user out so to say – This is for any connection on any firewall basically at all in the real world so keep this very important concept in mind
- This brings up the “no exec-t” command that is great for labs, but if the user never gets kicked out after so long idle, they have a loophole around that time-range
- Notice the ACL says (inactive) – That is because the time-range is not engaged and using the ACL at the moment!
I have personally accidentally deleted ACL’s that showed inactive because I didn’t know that meant it was on a time-range schedule (or what it meant at all), so do not as I do, an (Inactive) ACL is not an unused ACL!
That completes this post and I think about wraps up ACL’s, we’ve been using them on other topics so hopefully they’re comfortable with CCNP candidates reading this by now.
Next up is going to be a bit more CCNA type of material, but for thorough sake you bet your beehive I will write up a quick refresher post on that as well, it’s nice to get a break in with basically refresher material right before I hit the BGP section (which I am oddly looking forward to).
If I don’t see ya, good afternoon, good evening, and good night!
The DEVNET GRIND! 