CCNA Lab: Time-Based ACLs and Sequence Numbers
Time-based ACLs allow us to block specified traffic during defined time periods. The ACL logic remains the same, but we must identify the time range during which the ACL will be active with the time-range command. We’ll now create a time range allowing the matching addresses to Telnet in from 9:00 AM to 5:00 PM, Monday – Friday.
R1(config)#time-range TELNET_ALLOWED R1(config-time-range)#? Time range configuration commands: absolute absolute time and date default Set a command to its defaults exit Exit from time-range configuration mode no Negate a command or set its defaults periodic periodic time and date R1(config-time-range)#periodic ? Friday Friday Monday Monday Saturday Saturday Sunday Sunday Thursday Thursday Tuesday Tuesday Wednesday Wednesday daily Every day of the week weekdays Monday thru Friday weekend Saturday and Sunday
With the days selected, we’ll enter the start and finish time.
R1(config-time-range)#periodic weekdays ? hh:mm Starting time R1(config-time-range)#periodic weekdays 09:00 ? to ending day and time R1(config-time-range)#periodic weekdays 09:00 to ? hh:mm Ending time - stays valid until beginning of next minute R1(config-time-range)#periodic weekdays 09:00 to 17:00 ? <cr> R1(config-time-range)#periodic weekdays 09:00 to 17:00
Verify with show time-range.
R1#show time-range time-range entry: TELNET_ALLOWED (active) periodic weekdays 9:00 to 17:00
Active means the current system time is in the target range, not that the time range is actually applied. Inactive tells us the current system time is not in the target range.
In the telnet and access lists lab, we wrote a list that allowed a host at 172.12.123.2 to telnet to our router while preventing everyone else from doing so. Here’s the simple network we’re working with:
Let’s add a line to the extended ACL that allows 172.12.123.3 to telnet to R1 while the time range is active. Right now, that ACL looks like this:
R1#show ip access-list Extended IP access list 101 10 permit tcp host 172.12.123.2 any eq telnet (1 match) 20 deny ip any any (1 match)
This line will definitely be too long for the screen, and when that happens, you’ll see a dollar sign appear as the first character of the line.
R1(config)#ip access-list extended 101 R1(config-ext-nacl)#permit tcp host 172.12.123.3 any eq telnet time-range ? WORD Time-range entry name R1(config-ext-nacl)#$2.123.3 any eq telnet time-range TELNET_ALLOWED
Full command: permit tcp host 172.12.123.3 any eq telnet time-range TELNET_ALLOWED
All is well according to show ip access-list.
R1#show ip access-list Extended IP access list 101 10 permit tcp host 172.12.123.2 any eq telnet (4 matches) 20 deny ip any any (1 match) 30 permit tcp host 172.12.123.3 any eq telnet time-range TELNET_ALLOWED (active)
Well, almost all is well. Our ACL line’s syntax is fine, but it was tacked on to the bottom of the ACL, where it will never be read. Why? Line 20 denies everything. We gotta get Line 30 in front of Line 20.
Let’s take this opportunity to discuss ACL sequence numbers.
Each line of an ACL is assigned a sequence number (SN) by default. The first line is given SN 10, and each subsequent line’s SN increments by 10. These sequence numbers allow us to enter a line and have it placed in the ACL anywhere we like, rather than it always being tacked on at the bottom.
You can assign a sequence number manually, but you can’t reassign a number. Here’s what happens when you try to overwrite a line’s SN simply by giving it a new sequence number.
R1(config)#ip access-list extended 101 R1(config-ext-nacl)#? Ext Access List configuration commands: <1-2147483647> Sequence Number R1(config-ext-nacl)#15 permit tcp host 172.12.123.3 any eq telnet time-range TELNET_ALLOWED
The router didn’t outright reject my command, but it wasn’t accepted, either. show ip access-list reveals the SN remains unchanged.
R1#show ip access-list Extended IP access list 101 10 permit tcp host 172.12.123.2 any eq telnet (4 matches) 20 deny ip any any (1 match) 30 permit tcp host 172.12.123.3 any eq telnet time-range TELNET_ALLOWED (active)
Instead, we need to delete the existing line and then re-enter it with the desired sequene number. Deleting an ACL line is easy — just use the word no in front of the current sequence number. You don’t have to enter the entire line. When it comes to assigning a new SN, I like to go to the middle of the range; that gives you maximum flexibility in case you need to come back and add another line. You’d be surprised how often that happens.
R1(config)#ip access-list extended 101 R1(config-ext-nacl)#no 30 R1(config-ext-nacl)#15 permit tcp host 172.12.123.3 any eq telnet time-range R1#show ip access-list Extended IP access list 101 10 permit tcp host 172.12.123.2 any eq telnet (4 matches) 15 permit tcp host 172.12.123.3 any eq telnet time-range TELNET_ALLOWED (active) 20 deny ip any any (1 match)
The line permitting 172.12.123.3 is now in front of the deny ip any any. Let’s see if R3 can telnet in.
R3#telnet 172.12.123.1 Trying 172.12.123.1 ... Open User Access Verification Password: R1#
Our ACL is a success. I’m sure you want to see what happens when it’s not 9 to 5 on our router, so let me set the clock on R1 manually with clock set.
R1#clock set ? hh:mm:ss Current Time R1#clock set 21:00:00 ? <1-31> Day of the month MONTH Month of the year R1#clock set 21:00:00 Nov ? <1-31> Day of the month R1#clock set 21:00:00 Nov 2 ? <1993-2035> Year R1#clock set 21:00:00 Nov 2 2018 ? <cr> R1#clock set 21:00:00 Nov 2 2018
The time-based ACL line is now inactive.
R1#show ip access-list Extended IP access list 101 10 permit tcp host 172.12.123.2 any eq telnet (4 matches) 15 permit tcp host 172.12.123.3 any eq telnet time-range TELNET_ALLOWED (inactive) (2 matches) 20 deny ip any any (1 match)
Since we’re outside the defined time range for line 15, R3 can no longer telnet in.
R3#telnet 172.12.123.1 Trying 172.12.123.1 ... % Connection refused by remote host
If you need a one-time-only time range rather than a recurring one like the one we just wrote, you can go with the absolute time-range option, where you set the absolute start and end time of the range. If you don’t specify an end time, the line takes effect at the start time and goes on … forever! If you specify only an end time, the line takes effect immediately. Lots of options in this one, so let’s use IOS Help to see all of them.
R1(config)#time-range THURSDAY R1(config-time-range)#? Time range configuration commands: absolute absolute time and date R1(config-time-range)#absolute ? end ending time and date start starting time and date R1(config-time-range)#absolute start ? hh:mm Starting time R1(config-time-range)#absolute start 05:00 ? <1-31> Day of the month R1(config-time-range)#absolute start 05:00 3 ? MONTH Month of the year [eg: Jan for January, Jun for June] R1(config-time-range)#absolute start 05:00 3 Nov ? <1993-2035> Year R1(config-time-range)#absolute start 05:00 3 Nov 2018 ? end ending time and date <cr> R1(config-time-range)#absolute start 05:00 3 Nov 2016 end ? hh:mm Ending time - stays valid until beginning of next minute R1(config-time-range)#absolute start 05:00 3 Nov 2018 end 05:00 ? <1-31> Day of the month R1(config-time-range)#absolute start 05:00 3 Nov 2018 end 05:00 4 ? MONTH Month of the year [eg: Jan for January, Jun for June] R1(config-time-range)#absolute start 05:00 3 Nov 2018 end 05:00 4 Nov ? <1993-2035> Year R1(config-time-range)#absolute start 05:00 3 Nov 2018 end 05:00 4 Nov 2018
The next tutorial in this series reinforces the ACL sequence number knowledge you acquired in this lab. If you’re comfortable with sequence numbers, skip ahead to the ACL placement discussion. Those tutorials will both be posted on August 2, 2018.
Check out these other ACL labs while you’re here, and thanks for making my work part of your success story! — Chris B.