Lab 6.3.3: Time-Range ACL

Objectives:

  • Place a time-range extended ACL for controlling DDR.

Scenario:

The Denver office needs to control what interesting traffic will bring up the ISDN connection during only open hours. Last month they received a bill for $729.00 for ISDN service. You will setup a time-range extended ACL and apply it to the dialer group and the BRI interface so that the link will only be operational during business hours.

This lab will be configured to use an NTP server that does not exist in this lab. You will use the set clock command to set the clock manually. The NTP commands are included to give an example of how a router would be configured for use with an NTP server.

Notes: 

Lab Tasks:

  1. Cable the lab as shown in the diagram
  2. Configure the following basic information in the Phoenix router:

Configure the hostname Phoenix on the router.
Configure IGRP routing with the AS# 100
Configure the enable password to be cisco
Configure the Ethernet interface to use the IP address 192.168.2.1/24.
Configure the ISDN BRI interface switch type and SPIDs. Use the IP address 10.1.1.2/24.

  1. Configure the following basic information in the Denver router:

    Configure the hostname Denver on the router.
    Configure IGRP routing with the AS# 100
    Configure the enable password to be cisco
    Configure the Ethernet interface to use the IP address 192.168.2.1/24.
    Configure the ISDN BRI interface switch-type and SPIDs. Use the IP address
    10.1.1.3/24.
  2. You must permit ISDN traffic only during open hours. The commands to setup the time-range are:

    Denver(config)#no access-list 100
    Denver(config)#time-range only-during-open-hours
    Denver(config-time-range)#absolute start 16:00 28 February 1993
    Denver(config-time-range)#periodic Sunday 16:00 to 17:00
    Denver(config-time-range)#periodic weekdays 7:30 to 17:00
    Denver(config-time-range)#periodic Saturday 8:30 to 12:30


    Note: When this router is powered off the clock is reset to 16:00 28 February 1993. This is a Sunday. The router, in the event of a power outage, will have one hour to set the clock with an NTP server. Network Time Protocol or NTP relies on worldwide time servers that are connected to Atomic clocks. The clock on the Cisco router must be set with an NTP server for the time-range ACL to function properly.
  3. The next step is to create another time-range ACL to deny NTP traffic. NTP lookup traffic will trigger the dialer and keep the link up all during open hours. This ACL will deny NTP all but one hour of each business day. The commands to do this are:

    Denver(config-time-range)#time-range denyntp
    Denver(config-time-range)#absolute start 16:00 28 February 1993
    Denver(config-time-range)#periodic weekdays 8:30 to 18:00
    Denver(config-time-range)#periodic Saturday 9:30 to 12:30

  4. The next step will be to write the access list. The commands to do this are:

    Denver(config)#access-list 100 deny ip any host 255.255.255.255
    Denver(config)#access-list 100 deny icmp any any
    Denver(config)#access-list 100 deny udp host 10.1.1.3 host 128.200.84.2 time-range denyntp
    Denver(config)#access-list 100 permit tcp any any time-range only-during-open-hours
    Denver(config)#access-list 100 permit udp any any time-range only-during-open-hours
    Denver(config)#access-list 100 permit ip any any time-range only-during-open-hours

  5. The next step will be to apply the access list to the dialer. The command to do this is:

    Denver(config)# dialer-list 1 protocol ip list 100
  6. The next step will be to apply the access list to the BRI interface to stop all existing traffic and therefore bring the dialer down.

    Denver(config)# interface bri 0
    Denver(config-if)#ip access-group 100 in
    Denver(config-if)#ip access-group 100 out

  7. To last step is to set the time zone, daylight savings time, and the NTP server. The commands to do this are:

    Denver(config)#clock timezone PST -8
    Denver(config)#clock summer-time PDT recurring
    Denver(config)#ntp server 128.200.84.2

  8. To test the time-range ACL write the running-config to memory and reboot. After the router reboots issue the following commands:

    Denver#show clock (check the clock to make sure your access list will be in effect)
    Denver#debug ip packet
    Denver#debug dialer
    Denver#ping Phoenix
    Denver#telnet Phoenix

    Record your results below:


  9. To again test the time-range ACL issue the following command:

    Denver# clock set 9:00:00 20 JUNE 2000
    Denver#debug ip packet
    Denver#debug dialer
    Denver#ping Phoenix
    Denver#telnet Phoenix

    Record your results below:


  10. Issue the following command to see how many packets have matched the access-list and which parts are active. The command to view the number of matches to an ACL is:

    Denver# show access-list

    Record your results below:


  11. The final part of the lab is to issue the following command while the BRI interface is up:

Denver# ping phoenix
Denver#telnet phoenix
Denver# show access-list

Record your results below: