|
[Cisco] How to configure Dyanmic Access List with time-range |
|
|
|
|
Written by CiscoNET
|
This daynamic access-list is not commonly used, but it is good to know. Below scenario indicated once a client get authrized by telnet login then, the client can access boyond the port(Ethernet in this case)
[Router Configuration]
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CPE
!
boot-start-marker
boot-end-marker
!
ip cef
no ip domain lookup
!
username acl password 0 acl
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
load-interval 30
shutdown
duplex auto
speed auto
!
interface FastEthernet2/0
no ip address
load-interval 30
shutdown
duplex auto
speed auto
!
interface FastEthernet3/0
no ip address
load-interval 30
shutdown
duplex auto
speed auto
!
interface FastEthernet5/0
ip address 200.200.1.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
!
interface FastEthernet6/0
no ip address
shutdown
duplex auto
speed auto
!
no ip http server
no ip http secure-server
ip forward-protocol nd
!
access-list 101 permit tcp any any eq telnet
access-list 101 dynamic access permit ip any any log time-range work-hour
!
control-plane
!
no alias exec r
no alias exec s
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
privilege level 15
login local
autocommand access-enable timeout 1
!
time-range work-hour
periodic daily 7:30 to 8:00
!
end
[ Verifying output]
** Simulate Cisco 3660 as PC in this sample configuration 1. Tried ping to IP on Ethernet interface of CPE router, before authorized access by Telnet login. pc1# ping 200.200.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
pc1#t
2. Tried to telnet into CPE. It got failed, however it triggered open a ACL for next traffic from PC1
CPE#sh clock
07:59:31.447 UTC Fri Mar 1 2002
CPE#
CPE#sh ip access-lists 101
Extended IP access list 101
10 permit tcp any any eq telnet (339 matches)
20 Dynamic access permit ip any any log time-range work-hour (active)
CPE#
pc1#telnet 200.200.1.1
Trying 200.200.1.1 ... Open
User Access Verification
Username: acl
Password:
[Connection to 200.200.1.1 closed by foreign host]
pc1#
CPE#sh ip access-lists 101
Extended IP access list 101
10 permit tcp any any eq telnet (396 matches)
20 Dynamic access permit ip any any log time-range work-hour (active)
permit ip any any log time-range work-hour (active) (5 matches) (time left 56)
CPE#
Now, CPE allow a traffic from PC1
pc1#ping 200.200.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/25/76 ms
pc1#
3. If traffic is idle over 120 seconds, ACL will be closed due to configuration specified 120 sec idle allowance time.
pc1#ping 200.200.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
pc1#
CPE#sh clock
08:01:41.283 UTC Fri Mar 1 2002
CPE#sh ip access-lists 101
Extended IP access list 101
10 permit tcp any any eq telnet (396 matches)
20 Dynamic access permit ip any any log time-range work-hour (inactive)
CPE#
|
Security 
