Network Engineering Fundamentals - Dynamic ACL
Experimental environment: EVE-NG
Experimental topology:
The underlying configuration (no sh is not typed out, just configure it by yourself):
R1(config)#no ip routing R1(config)#ip default-gateway 12.1.1.4 R1(config)#interface e0/0 R1(config-if)#ip address 12.1.1.1 255.255.255.0 R2(config)#no ip routing R2(config)#ip default-gateway 12.1.1.4 R2(config)#interface e0/0 R2(config-if)#ip address 12.1.1.2 255.255.255.0 R3(config)#no ip routing R3(config)#ip default-gateway 12.1.1.4 R3(config)#interface e0/0 R3(config-if)#ip address 12.1.1.3 255.255.255.0 R4(config)#interface e0/0 R4(config-if)#ip address 12.1.1.4 255.255.255.0 R4(config)#interface e0/1 R4(config-if)#ip address 23.1.1.4 255.255.255.0 R5(config)#interface e0/0 R5(config-if)#ip address 23.1.1.5 255.255.255.0 R5(config)#ip route 12.1.1.0 255.255.255.0 23.1.1.4
Test connectivity:
Configure dynamic ACL (keyword: dynamic):
R4(config)#ip access-list extended tan R4(config-ext-nacl)#permit tcp any host 12.1.1.4 R4(config-ext-nacl)#dynamic wen permit ip 12.1.1.0 0.0.0.255 host 23.1.1.5 R4(config)#interface e0/0 R4(config-if)#ip access-group tan in
Test connectivity:
Set up authentication:
R4(config)#username cisco password cisco123 R4(config)#line vty 0 4 R4(config-line)#login local R4(config-line)#transport input telnet //Enable remote login R4(config-line)#autocommand access-enable //Activate dynamic ACL after login authentication
After logging in to the R4 router remotely, you can ping it:
Added R1 to R5 traffic allowed:
question:
①As long as any host in the 12.1.1.0 network segment is successfully logged in, all hosts in this network segment can ping R5; it does not meet the requirements (whoever logs in can ping);
②If you want to log in to R4 through telnet for management, you cannot log in;
③ After the dynamic ACL of R4 is activated, it always exists (not shut down, not artificially disabled);
solve:
①Set up a single host:
R4(config-line)#autocommand access-enable host
②Set the group number, and then telnet (3000+group number) to log in:
R4(config)#line vty 5 10
R4(config-line)#password cisco
R4(config-line)#login
R4(config-line)#rotary 1
R1#telnet 12.1.1.4 3001
③Set the timeout time: idle time and absolute time
verify:
Restart R4 and clear the dynamic ACL generated by R4;
Configure remote login, single host dynamic ACL and timeout:
R4(config)#line vty 3 4 R4(config-line)#no autocommand access-enable R4(config-line)#password cisco123 R4(config-line)#login R4(config-line)#rotary 1 R4(config)#line vty 0 2 R4(config-line)#login local R4(config-line)#no autocommand access-enable R4(config-line)#autocommand access-enable host R4(config)#ip access-list extended tan R4(config-ext-nacl)#no 20 R4(config-ext-nacl)#20 Dynamic wen timeout 1 permit ip 12.1.1.0 0.0.0.255 host 23.1.1.5
If the vty link is the following configuration, it is ok:
Test remote login to R4 for configuration, there is no problem:
Single host sign-on authentication acquisition path:
R1 can ping R5 after login authentication:
R2 cannot ping R5 at the beginning, and can ping R5 after R2 is also logged in separately for verification:
At this time, in the ACL table of R4, there are ACLs that allow hosts:
After a one-minute timeout, the dynamic ACL is destroyed, and neither RI nor R2 can ping R5: