This article describes what is a dynamic access list and how to use it? What is its syntax and configuration process? I believe you will understand the dynamic access list of Cisco routers through the following articles.
Dynamic table access is a new type of access table. In fact, this is true, but the syntax of the dynamic access table is very similar to that of the traditional Access Table item. This knowledge is also described in the previous chapter. The syntax for dynamic table access is as follows:
Access-list <access-list mumber> dynamic <name> [timeout n] [permit | deny] <protocol> any <destination IP> <destination mask>
The first <access-list number> is in the same format as the traditional extended access table. Its number ranges from 1 0 to 0 ~ Between 9 and 9. The second parameter <n a m e> is the string name of the Dynamic Access Table item. The [t I m e o u t] parameter is optional. If the t I m e o u t parameter is used, the absolute timeout time of the dynamic table item is specified. <P r o t o c o l> the parameter can be any traditional t c p/I P protocol, such as I p, t c p, u d p, I C M P, and so on. The source I p address is always replaced by the I P address of the authenticated host. Therefore, the source address defined in the dynamic table item always uses the keyword a n y. Destination I Pdestination IP) and destination shielded code destination mask) are the same as traditional extended access table. For the destination I P address, the safest way is to specify a single Subnet or even a single host. Because we cannot specify multiple dynamic access table items in each access table, it is generally set to I p or t c P in P r o T o l.
The following is an example:
Username cisco password cisco
Username cisco autocommand access-enable host timeout 5
Username test privilege 15 password test
Access-list 100 permit tcp host 1.1.1.1 host 1.1.1.2 eq telnet
Access-list 100 dynamic test timeout 5 permit ip any host limit 1.1.1
Int s1/1
Ip add 1.1.1.2 255.255.255.0
Ip acce 100 in
Line vty 0 2
Login local
Line vty 3 4
Login local
Rotary 1 indicates this step is not required during the test, but is mentioned in the cisco Control List Configuration Guide)
Analysis: the first line is to create a local password database. The second line is to use the autocmmand command to enable the router to automatically create an Access Control List entry. The third line is still to create a local database, the function will be discussed later. The following lines create a dynamic access list and apply the list under the interface. In fact, the dynamic list is only part of the extended list. Call the local Password Database under line vty xx
The test result is as follows:
R2 #
R2 # sh ip acce: view the Control List before the dynamic list is activated)
Extended IP address access list 100
10 permit tcp host 1.1.1.1 host 1.1.1.2 eq telnet (231 matches)
20 Dynamic test permit ip any host limit 1.1.1
R2 #
Telnet terminal 1.1.1 to check whether the operation was successful because the dynamic list has not been activated.
R1 #
R1 #
R1 # telnet protocol 1.1.1
Trying retry 1.1.1...
% Destination unreachable; gateway or host down
R1 #
Activate it as follows:
R1 # telnet 1.1.1.2
Trying 1.1.1.2... Open
User Access Verification
Username: cisco
Password:
[Connection to 1.1.1.2 closed by foreign host]
R1 #
Here, let's take a look at the activated access control list and what is the difference before activation:
R2 #
R2 # sh ip acce
Extended IP address access list 100
10 permit tcp host 1.1.1.1 host 1.1.1.2 eq telnet (303 matches)
20 Dynamic test permit ip any host limit 1.1.1
Permit ip host 1.1.1.1 host limit 1.1.1
R2 #
Now telnet login 1.1.1 should be successful.
R1 #
R1 # telnet protocol 1.1.1 3001
Trying retry 1.1.1, 3001... Open
User Access Verification
Username: test the user name and password here. We use test. The user name cisco logon will be automatically kicked out, which is why I want to create a second password database)
Password:
R2 #
R2 #
This step shows that our test result is successful. Do you know if you can understand it?