Dynamic ACL
Dynamic ACLs (also called Lock-and-key ACLs) allows users to send traffic through the router based on authentication process.
Dynamic ACLs configured are as follows:
Let's create locally on the R5 local user with password. Then configure accesss-enable autocomand to make dynamic ACLs work.
Please note that TAB key will not complete "accesss-enable host" command!!!
Please note that TAB key will not complete "accesss-enable host" command!!!
R4#
interface FastEthernet0/0
ip address 10.50.45.4 255.255.255.0
interface FastEthernet0/0
ip address 10.50.45.4 255.255.255.0
R5#
!
interface FastEthernet0/0
ip address 10.50.45.5 255.255.255.0
ip access-group TEST_DYN in
!
interface FastEthernet0/1
ip address 10.50.56.5 255.255.255.0
!
interface FastEthernet0/0
ip address 10.50.45.5 255.255.255.0
ip access-group TEST_DYN in
!
interface FastEthernet0/1
ip address 10.50.56.5 255.255.255.0
!
!
ip access-list extended TEST_DYN
permit ospf any any #to save our ospf session
permit tcp any host 10.50.45.5 eq telnet #to telnet on R5
permit ospf any any #to save our ospf session
permit tcp any host 10.50.45.5 eq telnet #to telnet on R5
permit icmp any any log-input #just for testing connectivity
dynamic TEST permit tcp any any log-input #permits telnet session to any host
dynamic TEST permit tcp any any log-input #permits telnet session to any host
!
ip access-list log-update threshold 1 #for monitoring access-list operation
!
username cisco password 0 cisco #creating username with password
!
line vty 0 4
login local #allow our user to telnet on R5
login local #allow our user to telnet on R5
!
username cisco autocommand access-enable host #invokes access-enable command allowing to authenticate user to "turn on" dynamic ACL
Let's try:
Lets look at dynamic ACL before we initiate TCP session (telnet session in our example) through the R5:
R5(config-ext-nacl)#do sh ip access
Extended IP access list TEST_DYN
10 permit ospf any any (11 matches)
15 permit tcp any host 10.50.45.5 eq telnet
20 permit icmp any any log-input
30 Dynamic TEST permit tcp any any log-input
Extended IP access list TEST_DYN
10 permit ospf any any (11 matches)
15 permit tcp any host 10.50.45.5 eq telnet
20 permit icmp any any log-input
30 Dynamic TEST permit tcp any any log-input
Telnet to R6...
R4#telnet 6.6.6.6
Trying 6.6.6.6 ...
% Destination unreachable; gateway or host down
Trying 6.6.6.6 ...
% Destination unreachable; gateway or host down
Now let's telnet to R5's interface on which we configured dynamic ACL
R4#telnet 10.50.45.5
Trying 10.50.45.5 ... Open
User Access Verification
Username: cisco
Password:
[Connection to 10.50.45.5 closed by foreign host]
Trying 10.50.45.5 ... Open
User Access Verification
Username: cisco
Password:
[Connection to 10.50.45.5 closed by foreign host]
After login and password was checked R5 closed the session
Now let's see on ACL:
R5(config-ext-nacl)#do sh ip access
Extended IP access list TEST_DYN
10 permit ospf any any (92 matches)
15 permit tcp any host 10.50.45.5 eq telnet (84 matches)
20 permit icmp any any log-input
30 Dynamic TEST permit tcp any any log-input
30 permit tcp host 10.50.45.4 any log-input #new ACE appeared with ip address of our R4' interface
Extended IP access list TEST_DYN
10 permit ospf any any (92 matches)
15 permit tcp any host 10.50.45.5 eq telnet (84 matches)
20 permit icmp any any log-input
30 Dynamic TEST permit tcp any any log-input
30 permit tcp host 10.50.45.4 any log-input #new ACE appeared with ip address of our R4' interface
R4#telnet 6.6.6.6
Trying 6.6.6.6 ... Open
User Access Verification
Username: cisco
Password:
R6>exit
Success! ))
Trying 6.6.6.6 ... Open
User Access Verification
Username: cisco
Password:
R6>exit
Success! ))
On R5 we can see ACL treshold and logging:
R5(config-ext-nacl)#
*Nov 19 06:16:40.931: %SEC-6-IPACCESSLOGP: list TEST_DYN permitted tcp 10.50.45.4(65223) (FastEthernet0/0 ca04.5184.0008) -> 6.6.6.6(23), 1 packet
See you.
Best Regards!