My Knowledge Base

User Tools

Site Tools


This is an old revision of the document!

Cisco: Dynamic ACLs: Lock and Key


  1. absolute timeout
  2. idle timeout
  3. Verify extends absolute timeout by Physical Equipment Cisco ISR 1841 15.0



configure terminal
access-list 101 permit tcp any host eq telnet
access-list 101 dynamic MARKET timeout 3 permit ip
access-list 101 permit eigrp any any
! telnet session established again, extends absolute timeout +6 miniutes.
access-list dynamic-extended
username john password ccie1234
username fred password ccie5678
username john autocommand access-enable host timeout 1
username fred autocommand access-enable host timeout 2
line vyt 0 15
 login local
interface GigabitEthernet 0/1
 ip access-group 101 in

Verification c56a5c93-8b76-43ab-b06b-d920608289fd

ping source Lo0
ping source Lo1
telnet /source-interface Lo0
ping source Lo0
ping source Lo1
telnet /source-interface Lo1
ping source Lo1
show access-lists


access-list dynamic-extended

enabled, telnet again

! First authentication by fred
telnet /source-interface Lo0
! Second authentication by fred
telnet /source-interface Lo0

extends 6 minutes

% List#101-MARKET absolute timer is extended

but absolute timeout not extended…. why…

Needs physical equipment lab?

R1 Console Log

R2 Console Log


tech/network/cisco/security/network-security/acl/dynamic-acl-lock-and-key/dynamic-acl-lock-and-key.1598777975.txt.gz · Last modified: 2020/08/30 17:59 by wnoguchi