IOS-XE time-based ACL

  • Post author:
  • Post category:IOS-XE

IOS-XE Time based ACL

Cisco IOS-XE routers and switches support applying extended Access Control Lists (ACL) based on the time/day of the connection. To have a consistent experience and the ACLs to work on the correct time (time/day of the week), the IOS-XE device should be configured with a reliable NTP time source. The purpose of this post is representing the configuration of the IOS-XE device for using time based ACLs.

Configuration

NTP Server

When using a Time-based ACL it is critical the local switch/router time is accurate, we shall use a public NTP server to synchronise the time, this can be an internal NTP server. The NTP  server FQDN will need to be resolved, so DNS must also be configured to translate the DNS name to IP address.

ip name-server 208.67.220.220
ip domain-lookup source-interface gi0/1

To confirm DNS is working correctly, ping www.google.com and confirm the FQDN is translated to the IP address.

R2#ping www.google.com
Translating "www.google.com"...domain server (208.67.220.220) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.180.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 13/13/14 ms

For UK configure the timezone and offset from UTC

clock timezone GMT 1 0

Configure the public NTP servers, ideally using the FQDN domain name.

ntp server 1.uk.pool.ntp.org
ntp server 0.uk.pool.ntp.org

Once configured run the command show ntp associations to confirm the device has associated with the DNS servers.

Run the command show ntp detail to confirm the time is accurate and the time source is NTP.

Access Control List

Create time-range objects based on periodic (day and time) or absolute (start and end).

time-range WEEKDAYS
 periodic weekdays 8:00 to 18:00
time-range WEEKENDS
 periodic weekend 0:00 to 23:59

Configure an extended ACL to permit the required traffic. In this example,

  • OSPF, DNS and ICMP if permit all the time to/from any source/destination
  • TCP/80 and TCP/443 is allowed from a specific network range on weekends
  • Telnet is permitted on weekdays only
  • Any traffic that does not match above is denied and logged.
ip access-list extended TIME-ACL
 permit ospf any any
 permit udp any any eq domain
 permit icmp any any
 permit tcp 10.10.0.0 0.0.255.255 any eq www time-range WEEKENDS log
 permit tcp 10.10.0.0 0.0.255.255 any eq 443 time-range WEEKENDS log
 permit tcp any any eq telnet time-range WEEKDAYS log
 deny ip any any log

Apply the ACL inbound on the router/switch interface.

interface GigabitEthernet0/0
 ip access-group TIME-ACL in

Testing/Verification

In the first test we shall access the internet from an IP address 192.168.252.2, this fails as the network is not explictly permitted and matches the deny rule.

*Sep 29 10:55:00.024: %SEC-6-IPACCESSLOGP: list TIME-ACL denied tcp 192.168.252.2(34606) -> 8.8.8.8(80), 1 packet

Accessing the internet on tcp/80 from the IP address 10.10.0.1 is permitted as this matches the time-based ACL because the connection was made on a weekend and from a permitted source. If this connection request was made on a weekday, the connection would be denied as it would not match the same rule and would therefore match the deny rule.

*Sep 29 10:55:09.123: %SEC-6-IPACCESSLOGP: list TIME-ACL permitted tcp 10.10.0.1(33396) -> 8.8.8.8(80), 1 packet

Testing telnet any IP address results in a deny on a weekend.

Sep 29 11:03:30.286: %SEC-6-IPACCESSLOGP: list TIME-ACL denied tcp 192.168.252.2(23009) -> 8.8.8.8(23), 1 packet

From the output of show ip access-list TIME-ACL we can see the telnet ACE #60 is inactive, this is because the router knows it’s currently the weekend.

For testing disable NTP and manually set the clock to a weekday.

R2(config)# no ntp server 1.uk.pool.ntp.org
R2(config)# no ntp server 0.uk.pool.ntp.org
R2#clock set 12:05:00 27 Sep 2024

From the output of show ip access-list TIME-ACL we can see the telnet ACE #60 is now active and the ACE #40/50 are now inactive.

Telnet again, confirms the packet is now allowed.

Sep 27 12:24:31.278: %SEC-6-IPACCESSLOGP: list TIME-ACL permitted tcp 192.168.252.2(56731) -> 8.8.8.8(23), 1 packet
Tags: ,