Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
525
Views
0
Helpful
1
Comments

Configuring Dynamic Access Control List

Blue_Bird
VIP
VIP

on ‎12-17-2024 06:32 AM

                                                                           Dynamic(Lock and Key) ACL

  • Dynamic (Lock-and-key) Access Control Lists are used to block user traffic until the user telnet to the router.
  • Dynamic Access List is based on Extended ACL which starts with an entry that blocks traffic through the router.
  • When the user try to telnet to the router a dynamic entry is added in the ACL that allow user traffic to pass, and telnet connection is dropped. Then user traffic will pass through the router until timeout timer expire.                                                               Gopinath_Pigili_0-1734167730914.png

    Client# ping 172.16.0.2

     ! ! ! ! !

    ROUTER(config)# username admin password 0 pass

    ROUTER(config)# enable secret pass

    ROUTER(config)# line vty 0 4

    ROUTER(config-line)# login local

    ROUTER(config-line)# autocommand  access-enable  host  timeout  5

    ROUTER(config)# ip access-list extended 100

    ROUTER(config-ext-nacl)# permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq  telnet

    ROUTER(config-ext-nacl)#  dynamic MYLIST timeout 5  permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255

    ROUTER(config)# interface fastEthernet 0/0

    ROUTER(config-if)# ip access-group 100 in

    • The line “autocommand access-enable host timeout 5” will trigger the ACL to  create a temporary access list entry and enable access for the host from which the telnet session was originated. The timeout 5 is idle timeout, if no activity will happen within these 5 minutes the access will be blocked.
    • Now, let’s try to issue a ping from Client(Host) to Server:Gopinath_Pigili_1-1734167831416.png

      Good! That’s what we were expecting.

      Further will telnet to Router to initiate dynamic ACL entry and allow traffic to pass.

      Gopinath_Pigili_2-1734167904207.png

    • If you verify your ACL in Router we can see one new entry (Dynamic entry) is added, so that we can see the communication up to 5 minutes.

       
      Gopinath_Pigili_4-1734168003239.png

    • The last entry was created dynamically and allow traffic from host 10.0.0.2 (Client) to go to 172.16.0.0/24 network (Server network).

                   Thank you very much...!

0 Helpful
Comments
Rich R
VIP
VIP
‎12-25-2024 09:03 AM

Note that this is a very old IOS feature with limited use in modern networks.
It relies on telnet which is inherently insecure because username and password are transmitted across the network in clear text.
This feature is already documented at https://www.cisco.com/c/en/us/support/docs/security-vpn/lock-key/7604-13.html and https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/sec-lock-key-secrty.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents