Application of cisco Dynamic Access Control List

Source: Internet
Author: User

This article describes what is a dynamic access list and how to use it? What is its syntax and configuration process? I believe you will understand the dynamic access list of Cisco routers through the following articles.

Dynamic table access is a new type of access table. In fact, this is true, but the syntax of the dynamic access table is very similar to that of the traditional Access Table item. This knowledge is also described in the previous chapter. The syntax for dynamic table access is as follows:

Access-list <access-list mumber> dynamic <name> [timeout n] [permit | deny] <protocol> any <destination IP> <destination mask>

The first <access-list number> is in the same format as the traditional extended access table. Its number ranges from 1 0 to 0 ~ Between 9 and 9. The second parameter <n a m e> is the string name of the Dynamic Access Table item. The [t I m e o u t] parameter is optional. If the t I m e o u t parameter is used, the absolute timeout time of the dynamic table item is specified. <P r o t o c o l> the parameter can be any traditional t c p/I P protocol, such as I p, t c p, u d p, I C M P, and so on. The source I p address is always replaced by the I P address of the authenticated host. Therefore, the source address defined in the dynamic table item always uses the keyword a n y. Destination I Pdestination IP) and destination shielded code destination mask) are the same as traditional extended access table. For the destination I P address, the safest way is to specify a single Subnet or even a single host. Because we cannot specify multiple dynamic access table items in each access table, it is generally set to I p or t c P in P r o T o l.

The following is an example:

Username cisco password cisco

Username cisco autocommand access-enable host timeout 5

Username test privilege 15 password test

Access-list 100 permit tcp host 1.1.1.1 host 1.1.1.2 eq telnet

Access-list 100 dynamic test timeout 5 permit ip any host limit 1.1.1

Int s1/1

Ip add 1.1.1.2 255.255.255.0

Ip acce 100 in

Line vty 0 2

Login local

Line vty 3 4

Login local

Rotary 1 indicates this step is not required during the test, but is mentioned in the cisco Control List Configuration Guide)

Analysis: the first line is to create a local password database. The second line is to use the autocmmand command to enable the router to automatically create an Access Control List entry. The third line is still to create a local database, the function will be discussed later. The following lines create a dynamic access list and apply the list under the interface. In fact, the dynamic list is only part of the extended list. Call the local Password Database under line vty xx

The test result is as follows:

R2 #

R2 # sh ip acce: view the Control List before the dynamic list is activated)

Extended IP address access list 100

10 permit tcp host 1.1.1.1 host 1.1.1.2 eq telnet (231 matches)

20 Dynamic test permit ip any host limit 1.1.1

R2 #

Telnet terminal 1.1.1 to check whether the operation was successful because the dynamic list has not been activated.

R1 #

R1 #

R1 # telnet protocol 1.1.1

Trying retry 1.1.1...

% Destination unreachable; gateway or host down

R1 #

Activate it as follows:

R1 # telnet 1.1.1.2

Trying 1.1.1.2... Open

User Access Verification

Username: cisco

Password:

[Connection to 1.1.1.2 closed by foreign host]

R1 #

Here, let's take a look at the activated access control list and what is the difference before activation:

R2 #

R2 # sh ip acce

Extended IP address access list 100

10 permit tcp host 1.1.1.1 host 1.1.1.2 eq telnet (303 matches)

20 Dynamic test permit ip any host limit 1.1.1

Permit ip host 1.1.1.1 host limit 1.1.1

R2 #

Now telnet login 1.1.1 should be successful.

R1 #

R1 # telnet protocol 1.1.1 3001

Trying retry 1.1.1, 3001... Open

User Access Verification

Username: test the user name and password here. We use test. The user name cisco logon will be automatically kicked out, which is why I want to create a second password database)

Password:

R2 #

R2 #

This step shows that our test result is successful. Do you know if you can understand it?

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.