Dynamic ACL statement order

jaighobahi · ‎06-16-2013

Hi All,

I have spent a whole day struggling with a basic dynamic ACL that seemed to deny hhtp traffic that it is supposed to permit. Please, look at the exceprts below and perhaps, explain why one works and the other doesn't work;

RTA(config-if)#

do show ip access-lists

Extended IP access list 120

10 permit tcp any any eq telnet (111 matches)

20 Dynamic temporaryList permit tcp any host 223.223.223.254 eq www

permit tcp host 10.1.1.1 host 223.223.223.254 eq www (time left 777)

The above does not permit http traffic from host 10.1.1.1 destined for host 223.223.223.254.

RTA(config-if)#do show ip access-lists

Extended IP access list 120

10 Dynamic temporaryList permit tcp any host 223.223.223.254 eq www

permit tcp host 10.1.1.1 host 223.223.223.254 eq www (time left 300)

20 permit tcp any any eq telnet (44 matches)

The above permits http traffic from host 10.1.1.1 destined for host 223.223.223.254.

The only thing different between the ACLs, as far as I can see, is the order of the statements. One statement specifically permits telnet traffic and the other statement specifically permits http traffic. They both use tcp protocol. Their order would not matter in normal extended ACL so, why does it matter in dynamic ACL?

Thanks for your help.

Giuseppe Larosa · ‎06-21-2013

Hello Jaighobahi,

I have looked at my own tests on the feature and the dynamic entry is in first positioni in the ACL.

However, in my study notes I have written that is possible to have the dynamic entry in a different position,

In my notes I see the use of the autocommand under line vty configuration mode

something like this

conf t

line vty 0 4

autocommand access-enable timeout 5

WARNINGS:

a) my tests have been done several years ago in 2005

b) at those times I have seen strange interaction of lock & key acl with AAA and AAA new-model

so be careful in your tests

Hope to help

Giuseppe