From: Luan Nguyen (luan.m.nguyen@gmail.com)
Date: Fri Jan 18 2008 - 13:25:49 ARST
Yeah. Time based ACL is an extended ACL feature, so you can't do something
like ntp access-group...since that only take standard number ACL.
ACL on the outbound interface won't stop locally generated NTP packets.
I had to do ip local policy route-map.
Another is to use something in 12.4T code: zone-based firewall. Where you
could do something about locally generated packets without using local
policy.
Just wonder if there is something simplier :)
-lmn
On Jan 18, 2008 7:19 AM, Bajo <bajoalex@gmail.com> wrote:
> Hi lmn,
>
> I can think of playing with
>
> 1. ACL on the interface
> 2. PBR ( set interface to null if a match)
> 3. Nat
> 4. VACL
> 5. MQC
> ALL will use a time-based ACL as a match criteria.
>
> Hopefully, someone will show some cool-tricks :)
>
> R3#sh ip nbar port-map | in ntp
> port-map nntp udp 119
> port-map nntp tcp 119
> port-map ntp udp 123
> port-map ntp tcp 123
> port-map secure-nntp udp 563
> port-map secure-nntp tcp 563
>
>
>
>
> On 1/16/08, Luan Nguyen <luan.m.nguyen@gmail.com> wrote:
> > Hi guys,
> > I have a question: How many way(s) can you configure your router to
> stop
> > ntp query from 12 to 1 every day without affecting anything else? You
> don't
> > have to limit yourself to the lab ios and technologies.
> >
> > Thanks.
> >
> > -lmn
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
> --
> Kind Regards,
>
> Bajo
This archive was generated by hypermail 2.1.4 : Fri Feb 01 2008 - 10:38:00 ARST