RE: Time based ACL question

From: Charles Church (cchurch@wamnet.com)
Date: Sun Sep 28 2003 - 00:20:01 GMT-3

• Next message: raj_tpd@comcast.net: "Study partner in Seattle area"
• Previous message: Howard C. Berkowitz: "Re: Mutual redistribution."
• Maybe in reply to: Charles Church: "Time based ACL question"
• Next in thread: Jason Buszta: "RE: Time based ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks, Brian. It worked fine:

vpn2611#sh clock
22:52:01.775 EDT Sat Sep 27 2003 (clock is currently correct)
vpn2611#sh access-l ntp-safeguard
Extended IP access list ntp-safeguard
    deny udp any any eq ntp time-range ntptime (inactive)
    permit ip any any (2 matches)
vpn2611#sh time-range
time-range entry: ntptime (inactive)
   absolute start 00:00 01 January 1993 end 12:00 27 September 2003
   used in: IP ACL entry
vpn2611#clock set 10:00:00 1 jan 2000
vpn2611#sh time-range
time-range entry: ntptime (active)
   absolute start 00:00 01 January 1993 end 12:00 27 September 2003
   used in: IP ACL entry
vpn2611#sh access-l ntp-safeguard
Extended IP access list ntp-safeguard
    deny udp any any eq ntp time-range ntptime (active)
    permit ip any any (3 matches)
vpn2611#sh clock
.10:00:38.834 EST Sat Jan 1 2000
vpn2611#sh clock (clock has re-synced to internet source, so it's
correct again)
.22:54:02.623 EDT Sat Sep 27 2003
vpn2611#sh access-l ntp-safeguard
Extended IP access list ntp-safeguard
    deny udp any any eq ntp time-range ntptime (inactive) (1 match)
    permit ip any any (4 matches)
vpn2611#sh time-range
time-range entry: ntptime (inactive)
   absolute start 00:00 01 January 1993 end 21:27 27 September 2003
   used in: IP ACL entry
vpn2611#

Cool stuff.....

Chuck Church
CCIE #8776, MCNE, MCSE
Wam!Net Government Services
13665 Dulles Technology Dr. Ste 250
Herndon, VA 20171
Office: 703-480-2569
Cell: 703-819-3495
cchurch@wamnet.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Brian McGahan
Sent: Saturday, September 27, 2003 1:52 PM
To: 'Charles Church'; 'CCIE Lab group'
Subject: RE: Time based ACL question

Chuck,

        Sounds like this should work. The router updates the status of
the time-range almost immediately. When you 'show access-lists', you
will see the time range listed as either active or inactive.

access-list 100 permit ip any any time-range 2003
!
time-range 2003
 absolute start 00:01 01 January 2003 end 23:59 31 December 2003

R1#sh access-lists
Extended IP access list 100
    10 permit ip any any time-range 2003 (inactive)
R1#clock set 12:34:56 1 Jan 2003
R1#sh access-lists
Extended IP access list 100
    10 permit ip any any time-range 2003 (active)
R1#clock set 12:34:56 1 Jan 2002
R1#sh access-lists
Extended IP access list 100
    10 permit ip any any time-range 2003 (inactive)
R1#clock set 12:34:56 1 Jan 2003
R1#sh access-lists
Extended IP access list 100
    10 permit ip any any time-range 2003 (active)
R1#clock set 12:34:56 1 Jan 2004
R1#sh access-lists
Extended IP access list 100
    10 permit ip any any time-range 2003 (inactive)

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Charles Church
> Sent: Saturday, September 27, 2003 1:17 PM
> To: CCIE Lab group
> Subject: Time based ACL question
>
> Little OT, but good practice!
>
> I support a bank network part time that's running MS Windows
2003
> servers.
> The 3640 core router is an NTP master, gets it's time from a couple
> different internet sources, and provides time to what I thought was
just
> all
> the other Cisco devices. I didn't know they had pointed their servers
to
> it. Recently the router was rebooted, and until it got it's correct
time
> (10 minutes or so), it provided 1993 time to these servers. Of course
MS
> doesn't follow any RFCs, and choose to use this time, rather than
declare
> it
> insane. So it had some bad effects on their Active Directory, which I
> guess
> has a strong tie to time like NDS does. Since the 3640 has no
calendar,
> it's possible it can happen again. So I came up with the idea of a
> time-based ACL on the router, using absolute stop and start time/date.
> The
> idea is to not allow in any NTP with source addresses matching my
internal
> networks unless the time is after an arbitrary date in 2002. The
router
> always boots into 1993. So if I allow NTP in only from the internet
until
> the date is greater than 2002, I'm thinking it should work, right?
How
> does
> the time-based ACL react if the router time suddenly changes due to
NTP?
> Anyone ever try this before?
>
> Thanks,
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
> Wam!Net Government Services
> 13665 Dulles Technology Dr. Ste 250
> Herndon, VA 20171
> Office: 703-480-2569
> Cell: 703-819-3495
> cchurch@wamnet.com
> PGP key:
http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
>

• Next message: raj_tpd@comcast.net: "Study partner in Seattle area"
• Previous message: Howard C. Berkowitz: "Re: Mutual redistribution."
• Maybe in reply to: Charles Church: "Time based ACL question"
• Next in thread: Jason Buszta: "RE: Time based ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:39 GMT-3