Time Based ACL for Cisco Wireless AP Access

Recently I was tasked with setting up two Cisco 1142 APs in autonomous mode with restrictions on access between the hours of 6AM and 11PM.  Anytime outside that range, wireless SSIDs would be on and broadcasting but there would be no traffic allow out.

After doing some research I have gotten it working and here's how to pull this off.  Pretty simple really.  Make sure before you do this that the time on the APs is set correctly.  I have the two I configured in this example setup to use NTP to pool.ntp.org and verified the time is set correctly.

1.  Create a time range:

     time-range BusinessHours

     periodic weekdays 6:00 to 23:00

2.  Create an ACL

     ip access-list extended 101

     permit ip any any time-range BusinessHours

3.  Apply the ACL to the appropriate interface

     interface Dot11Radio0.1 (.1 is the only VLAN configured on these APs on interface 0)

     ip access-group 101 out

     end

4.  Check the work

     show time-range BusinessHours

     show access-list 101 (this is how it determines the toggle between active and inactive)

     show running-config (verify the ACL is applied to the correct interface)

One thing to make sure of is that you do no apply this config to the Ethernet interface on the AP because then you will lose internal communication from the LAN as well.  By applying it to the Radio interface this only stops traffic coming in via the wireless Radio.

Hope this helps with security on your network OR if you happen to use these at home and have teenagers that don't want to obey bedtime for school.  Works for both.

Good luck.

Stop Windows 10 Pushing to Domain Computers

Many networks I work on have appeared to be slow the past several days.  After doing some research I found out that Microsoft is pushing Windows 10 to domain joined machines even though they don't qualify for the "free" upgrade.

This is causing many networks internally and their Internet connections to slow to a crawl because of all of the data saturation.

Here's how to shut it off using Group Policy:  (You will need at least one Server 2012R2 Domain Controller for this to work)

The setting is located via [Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update].  The name of the policy is "Turn off upgrade to the latest version of Windows through Windows Update"

Given that these files can be between 2G and 3G (stored in a hidden folder on the local disk called #Windows.~BT) it is easy to see how this can impact a network of several hundred machines.  My research says this happens without the end user ever seeing the white 'Get Windows 10 flag'.

I put this policy in place on our network tonight as researching network traffic through our ASA has proven this to be true.

I like what Microsoft has done with Windows 10 so far but this is taking things a bit too far.

Windows 8.1 Full Backup Prior to Windows 10 Upgrade

Short and sweet on this one.  Today's post is about backing up Windows 8.1 prior to the Windows 10 upgrade.

Get yourself a large USB drive or a network location with enough room to store the image and run the command below from PowerShell started as Administrator

wbAdmin start backup -backupTarget:D: -include:C: -allcritical -quiet

Make sure you change the drive letter of the backup target from D: to the letter for your drive letter prior to running the command.  What this does is simple.  It executes Windows Backup (since Microsoft removed the GUI interface for it in Windows 8/8/1) and runs a full backup for you.

If you want to save your backup to a network location this is the command

wbAdmin start backup -backupTarget:\\sharedfolder\foldername -user:username -password:userpassword -include:C: -allCritical -quiet

This will kick off the same backup process as above and send it to your network storage instead.

Once the backup completes you can browse the backup location and you'll find some very familiar folders.  The old WindowsImageBackup folder, the .xml and .vhd files that were used in the Windows 7 backup and restore feature.

That's all there is to it.  I wish you luck with your Windows 10 upgrade.

Backup Cisco WLC Configuration (Without Cisco Prime)

This article is part of a new mini-series here on my blog as I work toward obtaining my Cisco Wireless 640-722 CCNA certification.

The official way Cisco wants you to do this is to buy and implement Cisco Prime.

One way you can get around this is to use SolarWinds CatTools to send commands to your devices.

Using this I configured a job to connect to the WLC via SSH and push a backup of the config to my TFTP server.  Here's how:


>transfer upload mode tftp
>transfer upload datatype config
>transfer upload filename WLC-Config-Backup_%DateISO%.txt
>transfer upload path .
>transfer upload serverip 192.168.1.5
>transfer upload start

Once you select "Y" to begin the backup you'll see in the text a warning that file encryption is disabled.  Solarwinds CatTools can answer this Y or Yes if needed.  After this the config will push to your TFTP directory.

The variable in the command %DateISO% will automaticaly fill out the date of the file for you.  As of now the freeware version is limited to 5 devices and 5 activities only.

If you need more it can scale up from there.

Archive Cisco Switch and Router Configs Using TFTP and Configuration Archive

The worst time to realize you don't have a current backup of your switch or router is when that device is having issues or worst case dies and it is actually needed.  For a great comprehensive list of Cisco IOS commands I recommend THIS BOOK.  It's for Amazon Kindle.

Administrators have the ability to run a manual backup of the configs or you can set it to do this automatically or every time you do a "write memory" to save a config change.

Given how easy this is to setup there's no reason for you not to have this on your switches.

Let's dive into how easy this is to setup.

First you'll need a good TFTP server program.  Personally I like the free Solarwinds TFTP Server.  This like is for the Windows version.  You can run it on a server or a workstation if needed.  The price is right, setup is simple, and you'll have this going in a couple of minutes.

Next it's time to setup the switch or router to do the automatic backups for you.

Let's look at a couple of way to set this up.

The first way is to just backup each time you do a "write memory".  This is my favorite setup as it does not generate unnecessary network traffic and I know that the files on my TFTP server are the latest config as long as they were saved.

R1(config)#archive R1(config-archive)#path tftp://192.168.1.10/R1-config R1(config-archive)#write-memory R1(config-archive)#exit

Now one of the details I add after the IP address and forward slash is the name of the device so when it creates the automatic backup file I know which device it came from based on the device's host name.

Another way to set this up is to do backups daily for you automatically without the need to a manual update.  This setup will archive every day or if you do a "write memory" command on the switch.

R1(config)#archive R1(config-archive)#path tftp://192.168.1.10/R1-config R1(config-archive)#write-memory R1(config-archive)#time-period 1440

Now these two methods ensure your switch configs are backed up either as you do a change and save it or automatically each day.

Finally the great thing about these auto backups is you can also restore them using the same functions.  One thing to note is that this command does not merge the settings with what is currently running, it fully replaces it so use caution.

R1# configure replace tftp://192.168.1.10/R1-config-3 This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file, which is assumed to be a complete configuration, not a partial configuration. Enter Y if you are sure you want to proceed. ? [no]: Y Loading R1-config-3 ! [OK - 3113/4096 bytes]