GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Dynamic Access List posted 07/30/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Here is an example of a dynamic access-list, the external interface's IP
address of your router is 131.1.23.2 and the external host that needs access
to your internal network has an IP address of 2.2.2.2, I hope this helps:



Router(config)#access-list 100 permit tcp any host 131.1.23.2 eq 23

*This access-list is needed so the external users can telnet in, in order to
get authenticated. *



R2(config)#access-list 100 permit ospf any any

*This statement is needed to allow OSPF through (This is just an example)
but if you have other routing protocols running, you should allow that
traffic.*



R2(config)#access-list 100 dynamic TEST permit ip any any

*Note the above statement in the access-list tells the router to create a
dynamic access-list called TEST. This named access-list will be created when
external users telnet to this router and get authenticated. One of the
restrictions in dynamic ACL is that you can only configure one line.*



R2(config)#int s0/0

R2(config-subif)#ip access-group 100 in

*The above command is applying the access-list inbound to S0/0 interface.*

* *

* *

* *

*Lastly the telnet ports must be configured for the dynamic access-list:*



R2(config-subif)#line vty 0 871

R2(config-line)#autocommand ?

  LINE                    Appropriate EXEC command

  no-suppress-linenumber  Display service linenumber message

*Note the access-enable may not show when a question mark is entered.*



R2(config-line)#autocommand access-enable host

R2(config-line)#login local

*The "autocommand" statement links the dynamic access-list to the telnet
authentication. It creates an entry in the dynamic access-list using the
source IP address of the host. If the autocommand is NOT configured, the
dynamic entry will not be created. *

*The second line specifies that authentication should be done using the
local user account database.*



This is the ACL that's created for you:



*On R2*



*Show access-list*



Extended IP access list 100

    10 permit tcp any host 131.1.23.2 eq telnet (207 matches)

    20 permit tcp any host 2.2.2.2 eq telnet

    30 permit ospf any any (175 matches)

    4*0 Dynamic TEST permit ip any any*

*       permit ip host 131.1.34.4 any (6 matches)*



The external host's IP address is 2.2.2.2



Note if the timeouts are not specified the entry will be there forever,
unless you clear the dynamic entry using the following command:



R2#clear ip access-template 100 TEST host 131.1.34.4 any

*Note this command has to be entered in the privileged config mode. *

* *

*There are two timeout values, Idle and absolute and they are as follows:*

* *

R2(config)#line vty 0 871

R2(config-line)#autocommand access-enable host timeout 2

*The timeout here defines the idle timeout and it's in minutes.*



*Show ip access-list*



Extended IP access list 100
*  *

    10 permit tcp any host 131.1.23.2 eq telnet (381 matches)            **

    20 permit tcp any host 2.2.2.2 eq telnet

    30 permit ospf any any (574 matches)

    40 Dynamic TEST permit ip any any

       *permit ip host 131.1.34.4 any (1 match) (time left 95)*







This is the absolute timeout:



R2(config)#access-list 100 dynamic TEST timeout 4 permit ip any any

*This timeout is the absolute or time to live timeout, which defines the
amount of time in minutes a dynamically created access-list, can exist. *

Narbik Kocharians
CCIE# 12410 (R&S, SP, Security)
CCSI# 30832
Network Learning, Inc. (CCIE class Instructor)
www.ccbootcamp.com (CCIE Training)




On 7/30/06, Sami <sy1977@xxxxxxxxx> wrote:
>
> Group,
>
> Could some explain when dynamic access list is apllied to vty lines and
> when
> to a user using autocommand ? Another confustion timeout , should it be
> used
> with dynamic access list command or with autocommand when apllying to
> vyt/user.
>
> Could some one post a working config with an example.
>
> Thanks
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>



-- 
Narbik Kocharians
CCIE# 12410 (R&S, SP, Security)
CCSI# 30832
Network Learning, Inc. (CCIE class Instructor)
www.ccbootcamp.com (CCIE Training)