Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dialer watch and time-based ACLs

I am trying to modify and existing Dialer watch setup to only initiate the backup dial-up call during certain times of the day. I have used time-base access lists in the dialer watch-list, but it doesn't seem to work. Dialing occurs at all times...

access-list 111 deny ospf any any

access-list 111 permit ip any any time-range DIALBK

dialer watch-list 129 ip 10.9.8.0 255.255.255.0

dialer-list 1 protocol ip list 111

any ideas?

4 REPLIES
Cisco Employee

Re: Dialer watch and time-based ACLs

CSCdw21635

Externally found moderate defect: New (N)

Add time based control to dialer watch

I see this feature request , so I doubt if time based access list is supported

on dialer watch ?

Can you please run some debug

debug time-range ?

Also you can try putting the log word at end of access list .

Nilesh

New Member

Re: Dialer watch and time-based ACLs

Hi Nilesh,

I will try, but the remote router is a production box in a remote location, and I *don't* want to have to drive out to reload the box. :-)

The entire router config is below.

My experience is that the dialer watch doesn't appear to hit the access-list at all, but a manual attempt to initiate dialing works perfectly, failing during the "off" hours.

please contact me at cisco@brucemacdougall.ca if you wish to discuss.

Bruce

R3#wr t

Building configuration...

Current configuration : 3682 bytes

!

! Last configuration change at 23:32:44 AST Tue Apr 1 2003

! NVRAM config last updated at 23:33:25 AST Tue Apr 1 2003

!

version 12.2

no parser cache

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname R3

!

logging buffered 10000 debugging

logging rate-limit console 10 except errors

enable secret ....

!

username R0 password ...

memory-size iomem 25

clock timezone AST -4

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

no ip domain-lookup

ip dhcp excluded-address 10.122.228.0 10.122.228.15

!

ip dhcp pool dpool

network 10.122.228.0 255.255.255.0

default-router 10.122.228.1

dns-server 192.168.1.10

!

ip audit notify log

ip audit po max-events 100

ip ssh time-out 120

ip ssh authentication-retries 3

no ip dhcp-client network-discovery

chat-script Dialit ABORT ERROR ABORT BUSY "" "AT" OK "ATDT \T" TIMEOUT 45 CONNEC

T \c

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key

!

!

crypto ipsec transform-set vpn1 esp-des esp-md5-hmac

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

crypto map CMAP local-address Ethernet0

crypto map CMAP 10 ipsec-isakmp

set peer

set transform-set vpn1

match address 101

!

!

!

!

interface Loopback1

ip address 10.2.228.1 255.255.255.0

ip nat inside

!

interface Tunnel0

bandwidth 1000

ip address 10.3.3.3 255.255.255.0

ip nat inside

ip ospf cost 5

tunnel source Loopback1

tunnel destination 10.2.225.1

crypto map CMAP

!

interface Ethernet0

ip address dhcp

ip nat outside

no ip route-cache

no ip mroute-cache

half-duplex

crypto map CMAP

!

interface FastEthernet0

ip address 10.122.228.1 255.255.255.0

ip nat inside

no ip route-cache

no ip mroute-cache

speed auto

!

interface Async5

ip address 10.1.228.2 255.255.255.0

ip nat inside

encapsulation ppp

no ip route-cache

ip ospf network point-to-point

ip ospf cost 65000

no ip mroute-cache

dialer in-band

dialer map ip 10.9.8.0 name R0 broadcast 1number

dialer map ip 10.1.228.1 name R0 broadcast 1number

dialer watch-group 129

dialer-group 1

async default routing

async mode interactive

ppp authentication chap

!

router ospf 100

log-adjacency-changes

network 10.1.228.0 0.0.0.255 area 0

network 10.3.3.0 0.0.0.255 area 0

network 10.122.228.0 0.0.0.255 area 0

!

ip nat pool natpool 10.122.228.16 10.122.228.254 netmask 255.255.255.0

ip nat inside source list 50 interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet0

no ip http server

!

access-list 50 deny 10.122.228.0 0.0.0.15

access-list 50 permit 10.122.228.0 0.0.0.255

access-list 101 permit ip host 10.2.228.1 host 10.2.225.1

access-list 110 deny ospf any any

access-list 110 permit ip any any

access-list 111 deny ospf any any

access-list 111 permit ip any any log time-range DIALBK

dialer watch-list 129 ip 10.9.8.0 255.255.255.0

dialer-list 1 protocol ip list 111

!

!

!

line con 0

exec-timeout 0 0

escape-character 88

line aux 0

script dialer Dialit

modem InOut

modem autoconfigure discovery

transport input all

autoselect ppp

stopbits 1

speed 115200

flowcontrol hardware

line vty 0 4

password ....

login

line vty 5 15

login

!

no scheduler allocate

ntp clock-period 17168727

ntp peer 192.5.41.41

time-range DIALBK

periodic Monday 7:00 to 19:00

periodic Tuesday 7:00 to 19:00

periodic Wednesday 7:00 to 19:00

periodic Friday 7:00 to 22:00

periodic Saturday 7:00 to 19:00

periodic Thursday 7:00 to 19:00

!

end

Silver

Re: Dialer watch and time-based ACLs

Dialer watch does not require "interesting traffic" to place a call (one of its key advantages). You have put the time constraints on the access-list defining interesting traffic, not on the definition of what IP addresses to watch.

Easiest solution is to forget dialer watch and just use dial on demand. Of course, whether that is an acceptable solution for you will depend upon your specific requirements.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

New Member

Re: Dialer watch and time-based ACLs

Hi Vincent,

You're right...but I am using Dialer Watch because I don't have much choice in the application.

I guess I'll just have to wait for the feature to be added...

Thanks

121
Views
0
Helpful
4
Replies
CreatePlease login to create content