Dynamic Access List Lock and Key Feature 5 Points

Make sure that during normal operation it is not possible to ping from R2 (Ethernet0/0) to R3 (FastEthernet0/0). After a Telnet login from R2 to R3, pings are allowed, but make sure that after 5 minutes of inactivity normal operation is restored. Routing should still be in place in both circumstances.

Dynamic Access List/Lock and Key Feature Solution

This is an example where dynamic access lists are used to allow access only after a valid username/password has been entered. Access is denied again after a period (5 minutes, in this case) of inactivity.

Example 8-79 configures R3 with an extended access list, 100.

Example 8-79 Extended Access List Configuration on R3

R3(config)#access-list 100 ?

deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs permit Specify packets to forward remark Access list entry comment R3(config)#access-list 100 dynamic ?

WORD Name of a Dynamic list R3(config)#access-list 100 dynamic blockping ? deny Specify packets to reject permit Specify packets to forward timeout Maximum time for dynamic ACL to live R3(config)#access-list 100 dynamic blockping timeout 5 ? deny Specify packets to reject permit Specify packets to forward R3(config)#$access-list 100 dynamic blockping timeout 5 permit icmp host

144.254.4.2 host 144.254.4.1 R3(config)#access-list 100 deny icmp host 144.254.4.2 host 144.254.4.1 echo R3(config)#access-list 100 permit ip any any

After the access list is defined, you must apply the access list to the vty lines on R3.

After the ACL is defined, you must apply the ACL to the interface, followed by the auto command under vty lines on R3. Example 8-80 displays applying the ACL to the interface and the vty line configuration.

Example 8-80 Vty Configuration

R3(config)#line vty 0 4 R3(config-line)#autocommand ?

LINE Appropriate EXEC command no-suppress-linenumber Display service linenumber message R3(config-line)#autocommand access-enable-after-ping ? LINE <cr>

R3(config-line)#autocommand access-enable-after-ping host timeout 5

Example 8-81 displays a failed ping request from R2 to R3.

Example 8-81 ping 144.254.4.1 from R2 R2#ping 144.254.4.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 144.254.4.1, timeout is 2 seconds: U.U.U

Success rate is 0 percent (0/5)

The ping requests are not permitted because a successful Telnet connection is required before ICMP pings are permitted.

Example 8-82 telnets from R2 to R3, passes authentication, and is automatically dropped out by R3.

Example 8-82 Telnet from R2 to R1

R2#telnet 144.254.4.1 Trying 144.254.4.1 ... Open User Access Verification Password: cisco

[Connection to 144.254.4.1 closed by foreign host]

Example 8-83 now pings R3 from R2 successfully. Example 8-83 ping 144.254.4.1 from R2

R2#ping 144.254.4.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to !!!!!

144.254.4.1

timeout is

2

seconds:

Success rate is 100 percent (5/5)

round-trip

min/avg/max

=

1/2/4 ms

R2#ping 144.254.4.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to !!!!!

144.254.4.1

timeout is

2

seconds:

Success rate is 100 percent (5/5)

round-trip

min/avg/max

=

1/2/4 ms

R2#

To monitor the access violations, use the IOS command show ip access-list 100.

Example 8-84 displays the accesses and violations on R3. Example 8-84 show ip access-list 100 Command on R3

R3#show ip access-lists

Extended IP access list 100

Dynamic blockping permit icmp host 144.254.4.2 host

144.254.4.1

permit icmp host 144.254.4.2 host 144.254.4.1 (30

matches) (time left 269)

deny icmp host 144.254.4.2 host 144.254.4.1 echo (8

matches)

permit ip any any (260 matches)

R3#

Was this article helpful?

0 0

Post a comment