RE: Time based ACL question

From: Jason Buszta (groupstudy@buszta.com)
Date: Sun Sep 28 2003 - 09:56:05 GMT-3

• Next message: navaid@rogers.com: "Re: Re-3: Mutual redistribution."
• Previous message: A Paradela: "RE: Mutual redistribution."
• Maybe in reply to: Charles Church: "Time based ACL question"
• Next in thread: Charles Church: "RE: Time based ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Looking at the ntp access-group command it only takes standard access-list
(12.2(17a) so I am guessing you are using an access-group in statement on
an ethernet/serial interface to filter request. Do not forget to set an
access-list to allow the router to go outbound and get time from its time
source regardless of the time range. So if you syncing off of 1.1.1.1
you will need:

interface ethernet0/0
ip address 10.1.1.1 255.255.255.0

ntp source ethernet 0/0

(I belive NTP uses the same source and destination port, you will need to
verify Cisco's implementation of the protocol)

ip access-list extended router_inbound
permit udp host 1.1.1.1 eq 123 host 10.1.1.1 eq 123
deny udp any any eq ntp time-range ntp-time
permit ip any any

On Sat, 27 Sep 2003, Charles Church wrote:

> Thanks, Brian. It worked fine:
>
> vpn2611#sh clock
> 22:52:01.775 EDT Sat Sep 27 2003 (clock is currently correct)
> vpn2611#sh access-l ntp-safeguard
> Extended IP access list ntp-safeguard
> deny udp any any eq ntp time-range ntptime (inactive)
> permit ip any any (2 matches)
> vpn2611#sh time-range
> time-range entry: ntptime (inactive)
> absolute start 00:00 01 January 1993 end 12:00 27 September 2003
> used in: IP ACL entry
> vpn2611#clock set 10:00:00 1 jan 2000
> vpn2611#sh time-range
> time-range entry: ntptime (active)
> absolute start 00:00 01 January 1993 end 12:00 27 September 2003
> used in: IP ACL entry
> vpn2611#sh access-l ntp-safeguard
> Extended IP access list ntp-safeguard
> deny udp any any eq ntp time-range ntptime (active)
> permit ip any any (3 matches)
> vpn2611#sh clock
> .10:00:38.834 EST Sat Jan 1 2000
> vpn2611#sh clock (clock has re-synced to internet source, so it's
> correct again)
> .22:54:02.623 EDT Sat Sep 27 2003
> vpn2611#sh access-l ntp-safeguard
> Extended IP access list ntp-safeguard
> deny udp any any eq ntp time-range ntptime (inactive) (1 match)
> permit ip any any (4 matches)
> vpn2611#sh time-range
> time-range entry: ntptime (inactive)
> absolute start 00:00 01 January 1993 end 21:27 27 September 2003
> used in: IP ACL entry
> vpn2611#
>
> Cool stuff.....
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
> Wam!Net Government Services
> 13665 Dulles Technology Dr. Ste 250
> Herndon, VA 20171
> Office: 703-480-2569
> Cell: 703-819-3495
> cchurch@wamnet.com
> PGP key: http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Brian McGahan
> Sent: Saturday, September 27, 2003 1:52 PM
> To: 'Charles Church'; 'CCIE Lab group'
> Subject: RE: Time based ACL question
>
>
> Chuck,
>
> Sounds like this should work. The router updates the status of
> the time-range almost immediately. When you 'show access-lists', you
> will see the time range listed as either active or inactive.
>
> access-list 100 permit ip any any time-range 2003
> !
> time-range 2003
> absolute start 00:01 01 January 2003 end 23:59 31 December 2003
>
> R1#sh access-lists
> Extended IP access list 100
> 10 permit ip any any time-range 2003 (inactive)
> R1#clock set 12:34:56 1 Jan 2003
> R1#sh access-lists
> Extended IP access list 100
> 10 permit ip any any time-range 2003 (active)
> R1#clock set 12:34:56 1 Jan 2002
> R1#sh access-lists
> Extended IP access list 100
> 10 permit ip any any time-range 2003 (inactive)
> R1#clock set 12:34:56 1 Jan 2003
> R1#sh access-lists
> Extended IP access list 100
> 10 permit ip any any time-range 2003 (active)
> R1#clock set 12:34:56 1 Jan 2004
> R1#sh access-lists
> Extended IP access list 100
> 10 permit ip any any time-range 2003 (inactive)
>
>
>
> HTH,
>
> Brian McGahan, CCIE #8593
> bmcgahan@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Direct: 708-362-1418 (Outside the US and Canada)
>
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > Charles Church
> > Sent: Saturday, September 27, 2003 1:17 PM
> > To: CCIE Lab group
> > Subject: Time based ACL question
> >
> > Little OT, but good practice!
> >
> > I support a bank network part time that's running MS Windows
> 2003
> > servers.
> > The 3640 core router is an NTP master, gets it's time from a couple
> > different internet sources, and provides time to what I thought was
> just
> > all
> > the other Cisco devices. I didn't know they had pointed their servers
> to
> > it. Recently the router was rebooted, and until it got it's correct
> time
> > (10 minutes or so), it provided 1993 time to these servers. Of course
> MS
> > doesn't follow any RFCs, and choose to use this time, rather than
> declare
> > it
> > insane. So it had some bad effects on their Active Directory, which I
> > guess
> > has a strong tie to time like NDS does. Since the 3640 has no
> calendar,
> > it's possible it can happen again. So I came up with the idea of a
> > time-based ACL on the router, using absolute stop and start time/date.
> > The
> > idea is to not allow in any NTP with source addresses matching my
> internal
> > networks unless the time is after an arbitrary date in 2002. The
> router
> > always boots into 1993. So if I allow NTP in only from the internet
> until
> > the date is greater than 2002, I'm thinking it should work, right?
> How
> > does
> > the time-based ACL react if the router time suddenly changes due to
> NTP?
> > Anyone ever try this before?
> >
> > Thanks,
> >
> > Chuck Church
> > CCIE #8776, MCNE, MCSE
> > Wam!Net Government Services
> > 13665 Dulles Technology Dr. Ste 250
> > Herndon, VA 20171
> > Office: 703-480-2569
> > Cell: 703-819-3495
> > cchurch@wamnet.com
> > PGP key:
> http://pgp.mit.edu:11371/pks/lookup?search=chuck+church&op=index
> >
> > ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> >
> _______________________________________________________________________
> > Please help support GroupStudy by purchasing your study materials
> from:
> > shop.groupstudy.com
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***

• Next message: navaid@rogers.com: "Re: Re-3: Mutual redistribution."
• Previous message: A Paradela: "RE: Mutual redistribution."
• Maybe in reply to: Charles Church: "Time based ACL question"
• Next in thread: Charles Church: "RE: Time based ACL question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:39 GMT-3