07-12-2010 09:19 AM
Hi everybody,
I´m working in a lab that includes dial-backup for a VSAT link (satellite link). This part of the lab is working excelent, dial-backup goes up when the VSAT connection is lost, and goes down when the VSAT link is recovered.
So, all is ok but... I need to grant dial-backup access only in business hours (ex: 9 am to 5 pm) and deny these the rest of the day.
I worked with time range + access list + dial-list but it didn´t work for me. I was following the steps of this link: http://www.cisco.com/en/US/tech/tk801/tk133/technologies_configuration_example09186a0080094089.shtml.
Is there other way to do this or other idea?
Regards.
07-15-2010 01:47 PM
Can you publish your lab config so that I can review?
07-27-2010 01:47 PM
Todd,
Sorry for the delay but i was on vacation. At below you´ll find the configuration, specifically highlighted in red the configuration regarding to block dial-in connections. This configuration intends to permit the dial-in connections only on business hours. I know that just is blocking IP traffic but I did not find a way to block PPP or other protocol in a low level.
Could you help me?
Thanks in advance.
Current configuration : 18107 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname central
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
no logging console
enable password CVMSLoA
!
aaa new-model
!
!
aaa authentication ppp default local
aaa authorization exec dafault local
!
!
aaa session-id common
memory-size iomem 30
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name test_dbkp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
****
PURPOSELY REMOVED
****
username alumine password 0 alumine
username senillosa password 0 senillosa
interface Loopback0
ip address 192.168.2.1 255.255.255.255
!
interface FastEthernet0/0
description to TELCO1
ip address 10.1.176.1 255.255.255.248
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
analysis-module monitoring
service-policy output CUSTOMER_QoS
!
interface FastEthernet0/1
description to TELCO2
ip address 10.1.176.9 255.255.255.248
duplex auto
speed auto
analysis-module monitoring
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Integrated-Service-Engine1/0
ip unnumbered Vlan1
ip nbar protocol-discovery
service-module ip address 10.1.48.253 255.255.255.0
!Application: running
service-module ip default-gateway 10.1.48.1
no keepalive
!
interface Vlan1
ip address 10.1.48.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
no autostate
interface Async1
no ip address
encapsulation slip
async mode interactive
no peer default ip address
!
interface Async0/0/0
ip unnumbered Loopback0
encapsulation ppp
async dynamic address
async mode interactive
no peer default ip address
dialer-group 2
ppp authentication chap
routing dynamic
!
interface Async0/0/1
ip unnumbered Loopback0
encapsulation ppp
async dynamic address
async mode interactive
no peer default ip address
dialer-group 2
ppp authentication chap
routing dynamic
!
interface Async0/0/2
ip unnumbered Loopback0
encapsulation ppp
async dynamic address
async mode interactive
no peer default ip address
dialer-group 2
ppp authentication chap
routing dynamic
!
interface Async0/0/3
ip unnumbered Loopback0
encapsulation ppp
async dynamic address
async mode interactive
no peer default ip address
dialer-group 2
ppp authentication chap
routing dynamic
!
interface Async0/0/4
ip unnumbered Loopback0
encapsulation ppp
async dynamic address
async mode interactive
no peer default ip address
dialer-group 2
ppp authentication chap
routing dynamic
!
interface Async0/0/5
ip unnumbered Loopback0
encapsulation ppp
async dynamic address
async mode interactive
no peer default ip address
dialer-group 2
ppp authentication chap
routing dynamic
!
interface Async0/0/6
ip unnumbered Loopback0
encapsulation ppp
async dynamic address
async mode interactive
no peer default ip address
dialer-group 2
ppp authentication chap
routing dynamic
!
interface Async0/0/7
ip unnumbered Loopback0
encapsulation ppp
async dynamic address
async mode dedicated
no peer default ip address
dialer-group 2
ppp authentication chap
routing dynamic
!
router bgp 1
no synchronization
bgp log-neighbor-changes
network 10.1.48.0 mask 255.255.255.0
network 10.222.48.0 mask 255.255.255.0
network 192.168.2.1 mask 255.255.255.255
neighbor 10.1.176.25 remote-as 4
neighbor 10.1.176.25 ebgp-multihop 255
neighbor 10.1.176.33 remote-as 5
neighbor 10.1.176.33 ebgp-multihop 255
neighbor 10.1.176.41 remote-as 6
neighbor 10.1.176.41 ebgp-multihop 255
neighbor 10.1.176.49 remote-as 7
neighbor 10.1.176.49 ebgp-multihop 255
neighbor 10.1.176.57 remote-as 8
neighbor 10.1.176.57 ebgp-multihop 255
neighbor 10.1.176.65 remote-as 9
neighbor 10.1.176.65 ebgp-multihop 255
neighbor 10.1.176.73 remote-as 110
neighbor 10.1.176.73 ebgp-multihop 255
neighbor 10.1.176.81 remote-as 11
neighbor 10.1.176.81 ebgp-multihop 255
neighbor 10.1.176.89 remote-as 12
neighbor 10.1.176.89 ebgp-multihop 255
neighbor 10.1.176.97 remote-as 13
neighbor 10.1.176.97 ebgp-multihop 255
neighbor 10.1.176.105 remote-as 14
neighbor 10.1.176.105 ebgp-multihop 255
neighbor 10.1.176.113 remote-as 15
neighbor 10.1.176.113 ebgp-multihop 15
neighbor 10.1.176.121 remote-as 16
neighbor 10.1.176.121 ebgp-multihop 255
neighbor 10.1.176.129 remote-as 17
neighbor 10.1.176.129 ebgp-multihop 255
neighbor 10.1.176.137 remote-as 18
neighbor 10.1.176.137 ebgp-multihop 255
neighbor 10.1.176.145 remote-as 19
neighbor 10.1.176.145 ebgp-multihop 255
neighbor 10.1.176.153 remote-as 20
neighbor 10.1.176.153 ebgp-multihop 255
neighbor 10.1.176.161 remote-as 21
neighbor 10.1.176.161 ebgp-multihop 255
neighbor 10.1.176.169 remote-as 22
neighbor 10.1.176.169 ebgp-multihop 255
neighbor 10.1.176.177 remote-as 24
neighbor 10.1.176.177 ebgp-multihop 255
neighbor 10.1.176.185 remote-as 25
neighbor 10.1.176.185 ebgp-multihop 255
neighbor 10.1.176.193 remote-as 220
neighbor 10.1.176.193 ebgp-multihop 255
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.176.6
ip route 10.1.48.253 255.255.255.255 Integrated-Service-Engine1/0
ip route 10.1.176.0 255.255.255.0 10.1.176.2
ip route 10.1.176.24 255.255.255.248 10.1.176.10
ip route 10.1.176.40 255.255.255.248 10.1.176.10
ip route 10.1.176.64 255.255.255.248 10.1.176.10
ip route 10.1.176.72 255.255.255.248 10.1.176.10
ip route 10.1.176.88 255.255.255.248 10.1.48.16
ip route 10.1.176.152 255.255.255.248 10.1.176.10
ip route 10.1.176.200 255.255.255.248 10.1.48.16
ip route 10.1.176.208 255.255.255.240 10.1.48.16
ip route 10.1.176.248 255.255.255.248 10.1.176.10
ip route 10.2.48.0 255.255.255.0 10.1.176.2
ip route 10.3.48.0 255.255.255.0 10.1.176.2
...
PURPOSELY REMOVED
***
!
access-list 1 permit 192.168.150.199
access-list 1 permit 10.1.176.2
access-list 1 permit 10.1.176.6
access-list 1 permit 10.1.48.0 0.0.0.255
access-list 1 permit 10.222.48.0 0.0.0.255
access-list 101 permit ip any any time-range BUSINESS-HOURS
access-list 101 deny ip any any
dialer-list 2 protocol ip list 101
!
!
!
!
!
snmp-server community RTPE-T-2 RO
snmp-server community RTPE-R-2 RO
snmp-server community RTPE-W-2 RO
snmp-server location CCTE
snmp-server contact AREA C+T
snmp-server host 10.1.48.19 RTPE-T-2
snmp-server host 10.1.48.219 RTPE-T-2
!
control-plane
!
!
!
voice-port 0/2/0
!
voice-port 0/2/1
!
voice-port 0/2/2
!
voice-port 0/2/3
!
!
!
!
!
dial-peer voice 1 pots
preference 1
destination-pattern *1
port 0/2/0
!
dial-peer voice 2 pots
preference 2
destination-pattern *1
port 0/2/1
!
dial-peer voice 3 pots
preference 3
destination-pattern *1
port 0/2/2
!
dial-peer voice 4 pots
preference 4
destination-pattern *1
port 0/2/3
!
dial-peer voice 5 pots
preference 1
destination-pattern [5-7]...
port 0/2/0
forward-digits all
!
dial-peer voice 6 pots
preference 2
destination-pattern [5-7]...
port 0/2/1
forward-digits all
!
dial-peer voice 7 pots
preference 3
destination-pattern [5-7]...
port 0/2/2
forward-digits all
!
dial-peer voice 8 pots
preference 4
destination-pattern [5-7]...
port 0/2/3
forward-digits all
!
dial-peer voice 9 voip
destination-pattern 199
session protocol sipv2
session target ipv4:10.255.48.227
no vad
!
dial-peer voice 10 voip
destination-pattern 101
session protocol sipv2
session target ipv4:10.3.48.3
no vad
!
dial-peer voice 11 voip
destination-pattern 102
session protocol sipv2
session target ipv4:10.3.48.35
no vad
!
dial-peer voice 12 voip
destination-pattern 103
session protocol sipv2
session target ipv4:10.3.48.67
no vad
!
dial-peer voice 13 voip
destination-pattern 121
session protocol sipv2
session target ipv4:10.2.48.3
no vad
!
dial-peer voice 14 voip
destination-pattern 122
session protocol sipv2
session target ipv4:10.4.48.3
no vad
!
dial-peer voice 15 voip
destination-pattern 123
session protocol sipv2
session target ipv4:10.18.48.3
no vad
!
dial-peer voice 16 voip
destination-pattern 131
session protocol sipv2
session target ipv4:10.12.48.3
no vad
!
dial-peer voice 17 voip
destination-pattern 132
session protocol sipv2
session target ipv4:10.220.48.3
no vad
...
PURPOUSLY REMOVED
***
!
!
!
!
line con 0
line aux 0
stopbits 1
line 0/0/0 0/0/7
modem InOut
autoselect ppp
stopbits 1
speed 57600
flowcontrol hardware
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
access-class 1 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 1 in
privilege level 15
!
scheduler allocate 20000 1000
time-range BUSINESS-HOURS
periodic daily 09:00 to 17:00
!
end
07-28-2010 12:00 PM
I don't see NTP configured. Have you verified that the clock time is set correctly? If you do a "sh access-list 101" during business hours, do you see the permit line in an "active" state?
RCDN-2821#sh clock
*14:16:42.683 CDT Wed Jul 28 2010
RCDN-2821#sh access-list 101
Extended IP access list 101
10 permit ip any any time-range BUSINESS-HOURS (active)
20 deny ip any any
time-range BUSINESS-HOURS
periodic weekdays 9:00 to 17:00
07-28-2010 12:39 PM
Todd,
Thank you so much for your reply. Yes, is correct I´m not using NTP because I´m setting the clock manually.
For example:
central#clock set 00:30:00 28 Jul 2010
central#sh clock
00:30:04.031 UTC Wed Jul 28 2010
In this case, the ALC 101 should block the IP traffic (20 deny ip any any) because is out of the business hours, but it not happens. In fact, the connection between the remote site and the central site still working.
And when the clock shows a time into the business hours the ACL 101 (line 10) begins to show active state.
Regards.
07-28-2010 01:10 PM
I will have to do some digging to see if this has been recently supported. Your configuration looks accurate to me based on the sample configuration doc above. That configuration was done using 12.0 code so it may not be supported in newer IOS with the advent of features such as backup interface, floating static routes, and IP SLA/EEM.
07-28-2010 01:36 PM
Todd,
I´ll be trying to understand the use of EEM. Please, if you know other way to disable dial-in out of business hours will be very usefull for me.
Thank you again!!!
08-09-2010 03:47 PM
Just to add some more,
If you are using "dialer-watch" scheme to activate a backup link, its not dependent on interesting traffic to bring up the backup link. So in that case once the primary goes down, the backp link will be activated by passing the ACL. So use other scheme like floating static route or backup interface etc. To debug this issue to see which traffic is bringing up your backup link, use "debug dialer" and ACL based debugs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide