PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:security:network-security:acl:dynamic-acl-lock-and-key:dynamic-acl-lock-and-key

Cisco: Dynamic ACLs: Lock and Key

Tasks

  1. absolute timeout
  2. idle timeout
  3. Verify extends absolute timeout by Physical Equipment Cisco ISR 1841 15.0

Lab

Configuration

configure terminal
!
access-list 101 permit tcp any host 10.1.2.2 eq telnet
access-list 101 dynamic MARKET timeout 3 permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 permit eigrp any any
!
! telnet session established again, extends absolute timeout +6 miniutes.
access-list dynamic-extended
!
username john password ccie1234
username fred password ccie5678
username john autocommand access-enable host timeout 1
username fred autocommand access-enable host timeout 2
!
line vyt 0 15
 login local
!
interface GigabitEthernet 0/1
 ip access-group 101 in
!
end

Verification c56a5c93-8b76-43ab-b06b-d920608289fd

ping 192.168.0.3 source Lo0
ping 192.168.0.3 source Lo1
telnet 10.1.2.2 /source-interface Lo0
ping 192.168.0.3 source Lo0
ping 192.168.0.3 source Lo1
telnet 10.1.2.2 /source-interface Lo1
ping 192.168.0.3 source Lo1
show access-lists

If

access-list dynamic-extended

enabled, telnet again

! First authentication by fred
telnet 10.1.2.2 /source-interface Lo0
! Second authentication by fred
telnet 10.1.2.2 /source-interface Lo0

extends 6 minutes

% List#101-MARKET absolute timer is extended

but absolute timeout not extended…. why…

Needs physical equipment lab?

R1 Console Log

R2 Console Log

References

tech/network/cisco/security/network-security/acl/dynamic-acl-lock-and-key/dynamic-acl-lock-and-key.txt · Last modified: 2020/08/30 18:00 by wnoguchi