- Access-list defined with time range so we could have situation where the acl allows certain traffic during certain hours
- Uses the timerange keyword abosulute is once off time while perodic is recurring
- We would need a reliable time source to keep network in check i.e ntp
time range "name"
abosulute/perodic Friday 00:01 to 21:22
access-list 101 deny tcp any any eq 80 time-range "timerange-name"
Dynamic ACL
- Also known as lock and key access-lists
- We can authenticate to open up an access-list dynamically
- so for example we only allow telnet to 1 device from 1 source if that source can authenticate it will allow telnet to any device in the subnet
- access-enable is used on the cli to activate the dynamic entry
- we can use autocommand to automtically run access-enable to make the process simpler
- otherwise user logs in and types access-enable on cli
access-list "aclno" permit tcp "ip source" "ip destination" eq 23
access-list "acl no" dynamic permit tcp "ip source" "any destination" eq 23
int s0/0
ip access-group "aclno" in
username "name" password "password"
line vty 0 4
login local
username "name" autocommand access-enable
LAB
r5(config)#time-range workhours
r5(config-time-range)#periodic Tuesday 00:01 to 21:22
associated with acl
r5(config)#access-list 101 deny tcp any any eq 23 time-range workhours
r5(config)#access-list 101 permit ip any any
applied to int
r5(config)#int s0/0/0
r5(config-if)#ip access-group 101 out
r5(config-if)#
r5#sh time-range
time-range entry: workhours (active)
periodic Tuesday 0:01 to 21:22
used in: IP ACL entry
r5#sh clock
*21:18:29.599 UTC Tue Feb 21 2012
r5#
s2
---
i can not telnet
s2#telnet 2.1.1.1
Trying 2.1.1.1 ...
% Destination unreachable; gateway or host down
s2#telnet 2.1.1.1
Trying 2.1.1.1 ...
% Destination unreachable; gateway or host down
s2#telnet 2.1.1.1
Trying 2.1.1.1 ...
% Destination unreachable; gateway or host down
r5
---
ok so it is not 21:23 so acl is inactive
r5#sh clock
*21:23:01.975 UTC Tue Feb 21 2012
r5#sh time-range
time-range entry: workhours (inactive)
periodic Tuesday 0:01 to 21:22
used in: IP ACL entry
r5#
s2
===
s2#telnet 2.1.1.1
Trying 2.1.1.1 ... Open
User Access Verification
Username: cisco
Password:
% Login invalid
Username: cisco
Password:
s1>
i can now get to s1 via telnet
Dynamic access-list ok for the dynamic access-list we are now on s1 and trying to telnet in to s2 but the only way we should be allowed if we authenticate first
r5
----
i have cleared the previous config
ok we will specify our dynamic access list
r5(config)#access-list 105 permit tcp any host 5.5.5.5 eq 23
r5(config)#access-list 105 permit eigrp any any
r5(config)#access-list 105 dynamic 1 permit tcp any any eq 23
r5(config)#access-list 105 deny ip any any
r5(config)#int s0/0/0
r5(config-if)#ip access-group 105 in
r5(config-if)#
the only way we can allow the dynamic is if we use the command access-enable
r5(config)#line vty 0 4
r5(config-line)#login local
r5(config-line)#exit
r5(config)#username cisco password cisco
r5(config)#enable password cisco
s1
---
i can not telnet to
s1#telnet 22.2.2.2
Trying 22.2.2.2 ...
% Destination unreachable; gateway or host down
s1#telnet 22.2.2.2
Trying 22.2.2.2 ...
% Destination unreachable; gateway or host down
we can telnet to r5
s1#telnet 5.5.5.5
Trying 5.5.5.5 ... Open
User Access Verification
Username: cisco
Password:
r5>en
Password:
when we run the command
r5#access-enable
r5#exit
[Connection to 5.5.5.5 closed by foreign host]
Now we can telnet to 22.2.2.2 as dynamic access-list has been created
s1#telnet 22.2.2.2
Trying 22.2.2.2 ... Open
User Access Verification
Username: cisco
Password:
s2>
r5
----
r5#sh access-list 105
Extended IP access list 105
10 permit tcp any host 5.5.5.5 eq telnet (201 matches)
20 permit eigrp any any (600 matches)
30 Dynamic 1 permit tcp any any eq telnet
permit tcp any any eq telnet (28 matches)
40 deny ip any any (200 matches)
r5#
we can see the dynamic access-list got matches
to make things easier on r5 we can assign an autocommand once a particular user logs in so in this case auto command would be access-enable we can also narrow down the access-enable command is if we just leave it as access-enable it will allow any source to telnet not just s1 so we can add the host keyword this way when enabled it will be locked down to the source host
r5(config)#username cisco autocommand access-enable host
No comments:
Post a Comment