Skip to main content

dynamic access-list - the small trick

short note about the dynamic ACLs:

if you are going to use dynamic ACL to allow some kind of access to service/server with absolute timer it's very important to remember that you need to enable the "absolute timer" extensive of the ACL's


R1(config)#access-list dynamic-extended


and the rest that you have to remember is to put autocommand sub option but if you cannot remember what should be options after that they are available in exec mode



R1(config)#username ENABLE autocommand ?
LINE Command to be automatically issued after the user logs in



R1#access-enable ?
host Enable a specific host only
timeout Maximum idle time to expire this entry


example acl with dynamic statement
ip access-list extended DYN
permit tcp any any eq telnet
permit tcp any any eq 7001
permit udp any any eq rip
dynamic ACCESS timeout 15 permit tcp any any eq www
deny ip any any
deny ip any any log


vty configuration

R1(config-line)#autocommand access-enable timeout 5



One very important note from the INE technology workbook is to be careful with the AAA authorization when you are using dynamic ACL - the reason of that is you must using local exec authorization with non or if-authenticated
Labels:

Popular posts from this blog

Juniper IS-IS summary

##################################################################################################### ## ISIS ##################################################################################################### # Be sure to set family iso on the interface to be placed into ISIS set interfaces <interface> family iso # By default Junos places interfaces as L1/L2 # Default route leaking:         L1 to L2 - all internal routes         L2 to L1 - 0/0 route # L1/L2 will send the attached-bit down to L1 and it will act as a NSSA-like area.  When the L1 interface # receives the attached-bit it will inject a 0/0 route into the RIB point to the L1/L2 interface. # To disable the attached bit use: set protocols isis ignore-attached-bit # Be careful with the "interface all" command, as it may have some unexpected consequences such as trying # to establish a neighbor on your fxp0 management...
Read more >>

IOS on Unix (IOU)

source http://evilrouters.net/2011/01/18/cisco-iou-faq/ What is IOU? From the Cisco Engineering Education web site (a long time ago): IOS on Unix (IOU) is a fully working version of IOS that runs as a user mode UNIX (Solaris) process. IOU is built as a native Solaris image and run just like any other program. IOU supports all platform independent protocols and features. What operating systems does IOU run on? It is my understanding that, initially, IOU was Solaris (SPARC) only. Nowadays, however, there are also builds for OS X and Linux. Similar to dynamips, IOU allows you to build out a network topology on a computer, without the need for physical routers. This is useful for validating designs, proof-of-concept testing, and certification self-study. Is my system compatible with IOU? You will need to be running the operating system that your IOU image were built for, obviously. Other than that, there are no special requirements to run IOU. It is not very CPU- or memory-intensive, unlik...
Read more >>

Beijing - China

I am not sure how to describe Beijing China, maybe everyone who goes their simply use the world 'Amazing' because it will be nearly impossible to describe it. I had a personal driver and tour guide which significantly simplify my trip around.  Of course, it was a business trip and I didn't have as much time as I needed to see everything from Beijing but I will try to share couple of pictures and some of my impressions. I will start with the food.  I remember when I was younger there was so many Chines restaurants in the neighbourhood and I could eat Chines food everyday, and at every time - my parents were joking that I will became a Chines if I continue to eat only Chines, but it was so good and I didn't care ;-)  In Beijing I tried so many different things and I am amazed by the quality of the food, and most amazingly I didn't have any problems with my stomach - which was a good sign ;-) . I uploaded few photos from my album, which are from different places I ...
Read more >>