7/11/2011
7/02/2011
dynamic access-list - the small trick
short note about the dynamic ACLs:
if you are going to use dynamic ACL to allow some kind of access to service/server with absolute timer it's very important to remember that you need to enable the "absolute timer" extensive of the ACL's
R1(config)#access-list dynamic-extended
and the rest that you have to remember is to put autocommand sub option but if you cannot remember what should be options after that they are available in exec mode
R1(config)#username ENABLE autocommand ?
LINE Command to be automatically issued after the user logs in
R1#access-enable ?
host Enable a specific host only
timeout Maximum idle time to expire this entry
example acl with dynamic statement
ip access-list extended DYN
permit tcp any any eq telnet
permit tcp any any eq 7001
permit udp any any eq rip
dynamic ACCESS timeout 15 permit tcp any any eq www
deny ip any any
deny ip any any log
vty configuration
R1(config-line)#autocommand access-enable timeout 5
One very important note from the INE technology workbook is to be careful with the AAA authorization when you are using dynamic ACL - the reason of that is you must using local exec authorization with non or if-authenticated
if you are going to use dynamic ACL to allow some kind of access to service/server with absolute timer it's very important to remember that you need to enable the "absolute timer" extensive of the ACL's
R1(config)#access-list dynamic-extended
and the rest that you have to remember is to put autocommand sub option but if you cannot remember what should be options after that they are available in exec mode
R1(config)#username ENABLE autocommand ?
LINE Command to be automatically issued after the user logs in
R1#access-enable ?
host Enable a specific host only
timeout Maximum idle time to expire this entry
example acl with dynamic statement
ip access-list extended DYN
permit tcp any any eq telnet
permit tcp any any eq 7001
permit udp any any eq rip
dynamic ACCESS timeout 15 permit tcp any any eq www
deny ip any any
deny ip any any log
vty configuration
R1(config-line)#autocommand access-enable timeout 5
One very important note from the INE technology workbook is to be careful with the AAA authorization when you are using dynamic ACL - the reason of that is you must using local exec authorization with non or if-authenticated
Subscribe to:
Posts (Atom)