Network Engineering Fundamentals - Dynamic ACL s

Network Engineering Fundamentals - Dynamic ACL

Experimental environment: EVE-NG
Experimental topology:

The underlying configuration (no sh is not typed out, just configure it by yourself):

R1(config)#no ip routing 
R1(config)#ip default-gateway 12.1.1.4
R1(config)#interface e0/0
R1(config-if)#ip address 12.1.1.1 255.255.255.0
R2(config)#no ip routing 
R2(config)#ip default-gateway 12.1.1.4
R2(config)#interface e0/0
R2(config-if)#ip address 12.1.1.2 255.255.255.0
R3(config)#no ip routing 
R3(config)#ip default-gateway 12.1.1.4
R3(config)#interface e0/0
R3(config-if)#ip address 12.1.1.3 255.255.255.0
R4(config)#interface e0/0
R4(config-if)#ip address 12.1.1.4 255.255.255.0
R4(config)#interface e0/1
R4(config-if)#ip address 23.1.1.4 255.255.255.0
R5(config)#interface e0/0
R5(config-if)#ip address 23.1.1.5 255.255.255.0
R5(config)#ip route 12.1.1.0 255.255.255.0 23.1.1.4

Test connectivity:

Configure dynamic ACL (keyword: dynamic):

R4(config)#ip access-list extended tan
R4(config-ext-nacl)#permit tcp any host 12.1.1.4
R4(config-ext-nacl)#dynamic wen permit ip 12.1.1.0 0.0.0.255 host 23.1.1.5
R4(config)#interface e0/0
R4(config-if)#ip access-group tan in

Test connectivity:

Set up authentication:

R4(config)#username cisco password cisco123
R4(config)#line vty 0 4
R4(config-line)#login local
R4(config-line)#transport input telnet //Enable remote login
R4(config-line)#autocommand access-enable //Activate dynamic ACL after login authentication

After logging in to the R4 router remotely, you can ping it:

Added R1 to R5 traffic allowed:

question:
①As long as any host in the 12.1.1.0 network segment is successfully logged in, all hosts in this network segment can ping R5; it does not meet the requirements (whoever logs in can ping);
②If you want to log in to R4 through telnet for management, you cannot log in;
③ After the dynamic ACL of R4 is activated, it always exists (not shut down, not artificially disabled);

solve:
①Set up a single host:
R4(config-line)#autocommand access-enable host
②Set the group number, and then telnet (3000+group number) to log in:
R4(config)#line vty 5 10
R4(config-line)#password cisco
R4(config-line)#login
R4(config-line)#rotary 1
R1#telnet 12.1.1.4 3001
③Set the timeout time: idle time and absolute time

verify:
Restart R4 and clear the dynamic ACL generated by R4;

Configure remote login, single host dynamic ACL and timeout:

R4(config)#line vty 3 4
R4(config-line)#no autocommand access-enable
R4(config-line)#password cisco123
R4(config-line)#login
R4(config-line)#rotary 1
R4(config)#line vty 0 2
R4(config-line)#login local
R4(config-line)#no autocommand access-enable
R4(config-line)#autocommand access-enable host
R4(config)#ip access-list extended tan
R4(config-ext-nacl)#no 20
R4(config-ext-nacl)#20 Dynamic wen timeout 1 permit ip 12.1.1.0 0.0.0.255 host 23.1.1.5

If the vty link is the following configuration, it is ok:

Test remote login to R4 for configuration, there is no problem:

Single host sign-on authentication acquisition path:
R1 can ping R5 after login authentication:

R2 cannot ping R5 at the beginning, and can ping R5 after R2 is also logged in separately for verification:

At this time, in the ACL table of R4, there are ACLs that allow hosts:

After a one-minute timeout, the dynamic ACL is destroyed, and neither RI nor R2 can ping R5:

Tags: network

Posted by ndjustin20 on Wed, 25 May 2022 06:39:38 +0300