From: MMoniz (ccie2002@tampabay.rr.com)
Date: Sat Sep 27 2003 - 15:13:37 GMT-3
Sounds like a good plan. One question, do you not have HSRP running with
this core router?
In practice I try to use a virtual address for NTP just for this reason.
Usually by the time HSRP fails back over time is re-synced. At least so
far!!
Good idea though!!
Mike
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Brian McGahan
Sent: Saturday, September 27, 2003 1:52 PM
To: 'Charles Church'; 'CCIE Lab group'
Subject: RE: Time based ACL question
Chuck,
Sounds like this should work. The router updates the status of
the time-range almost immediately. When you 'show access-lists', you
will see the time range listed as either active or inactive.
access-list 100 permit ip any any time-range 2003
!
time-range 2003
absolute start 00:01 01 January 2003 end 23:59 31 December 2003
R1#sh access-lists
Extended IP access list 100
10 permit ip any any time-range 2003 (inactive)
R1#clock set 12:34:56 1 Jan 2003
R1#sh access-lists
Extended IP access list 100
10 permit ip any any time-range 2003 (active)
R1#clock set 12:34:56 1 Jan 2002
R1#sh access-lists
Extended IP access list 100
10 permit ip any any time-range 2003 (inactive)
R1#clock set 12:34:56 1 Jan 2003
R1#sh access-lists
Extended IP access list 100
10 permit ip any any time-range 2003 (active)
R1#clock set 12:34:56 1 Jan 2004
R1#sh access-lists
Extended IP access list 100
10 permit ip any any time-range 2003 (inactive)
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Charles Church
> Sent: Saturday, September 27, 2003 1:17 PM
> To: CCIE Lab group
> Subject: Time based ACL question
>
> Little OT, but good practice!
>
> I support a bank network part time that's running MS Windows
2003
> servers.
> The 3640 core router is an NTP master, gets it's time from a couple
> different internet sources, and provides time to what I thought was
just
> all
> the other Cisco devices. I didn't know they had pointed their servers
to
> it. Recently the router was rebooted, and until it got it's correct
time
> (10 minutes or so), it provided 1993 time to these servers. Of course
MS
> doesn't follow any RFCs, and choose to use this time, rather than
declare
> it
> insane. So it had some bad effects on their Active Directory, which I
> guess
> has a strong tie to time like NDS does. Since the 3640 has no
calendar,
> it's possible it can happen again. So I came up with the idea of a
> time-based ACL on the router, using absolute stop and start time/date.
> The
> idea is to not allow in any NTP with source addresses matching my
internal
> networks unless the time is after an arbitrary date in 2002. The
router
> always boots into 1993. So if I allow NTP in only from the internet
until
> the date is greater than 2002, I'm thinking it should work, right?
How
> does
> the time-based ACL react if the router time suddenly changes due to
NTP?
> Anyone ever try this before?
>
> Thanks,
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
> Wam!Net Government Services
> 13665 Dulles Technology Dr. Ste 250
> Herndon, VA 20171
> Office: 703-480-2569
> Cell: 703-819-3495
> cchurch@wamnet.com
> PGP key:
http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
>
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:38 GMT-3