< Free Open Study > |
Dynamic Access ListsA dynamic access list is an access list that allows temporary access after a user has authenticated with the router. For example, in the field, you might want a Cisco engineer from the TAC to help you troubleshoot your network by logging into the routers. A dynamic access list could be created giving Cisco complete privileges for a predetermined amount of time. After a configured time limit expires , the session is closed and traffic is again denied . This form of access list is also referred to as lock-and-key security. To configure a dynamic access list, you need to perform the following steps:
Recalling the same network from the earlier example, you now learn how to clear all the access lists and enable any-to-any routing. In Figure 14-4, every router has the 128.200.0.0 subnet in its routing table, and there is full reachability. Figure 14-4. Dynamic Access List Example
In this example, you will define a dynamic access list on the router paine Ethernet 0 port. You will allow only users on the 172.16.1.0/24 subnet to authenticate, and then you will allow them access to the full 128.200.0.0 subnet. The access list will prevent any packets from unauthenticated users from entering into the interface. After someone has authenticated, you will allow all the devices on subnet 172.16.1.0/24 access for five minutes before closing the dynamic access list. First, add a username and password needed for authentication: username franklin password ben username franklin autocommand access-enable timeout 5 The second line states that a special autocommand will be run when user franklin logs in. access-enable is a special command that will not be displayed by the question mark (context-sensitive help) ”yes, you will have to remember this one! The timeout value is an idle timeout ”in this case, it is set for five minutes. This means that the access list will close after no traffic has been detected for five minutes. Next , define the dynamic access list: access-list 101 dynamic allowben timeout 5 permit ip 172.16.1.0 0.0.0.255 any access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.2 eq telnet The name for the access list must be unique and can be set to anything. What is important is the timeout value, which is an absolute timeout value. If you use both timers, either they must be equal or the idle timeout must be less than the absolute timeout value. The rest of the access list will allow IP traffic the subnet 172.16.1.0/24 access to any network, after authenticated. The following list provides some Cisco rules and recommendations for configuring dynamic access list timers:
The next line is your normal access list that will always be in place until someone has authenticated. This access list must begin with a permit of Telnet to the interface where the filter is applied. Without allowing Telnet, the user could never authenticate. In this case, you will allow only users on the same subnet of 172.16.1.0/24 to authenticate, while denying all other traffic. You can now apply the access list to the Ethernet 0 port of the paine router. This is done with the ip access- group 101 in command under the Ethernet 0 interface. Finally, you must enable Telnet access under the vty ports, along with the appropriate enable passwords. See Chapter 1 if you need additional help with absolute line numbers. Example 14-9 lists the configuration of the paine router. Example 14-9 paine Router Configurationhostname paine ! enable password 7 02050D480809 ! username franklin password 7 02040155 username franklin autocommand access-enable timeout 5 ! ! interface Ethernet0 no ip address shutdown media-type 10BaseT ! interface Ethernet1 ip address 172.16.1.2 255.255.255.0 ip access-group 101 in media-type 10BaseT ! <<<text omitted>>> ! interface TokenRing1 ip address 128.200.1.2 255.255.255.0 ring-speed 16 ! router eigrp 2001 network 128.200.0.0 network 172.16.0.0 no auto-summary ! ip classless ! access-list 101 dynamic allowben timeout 5 permit ip 172.16.1.0 0.0.0.255 any access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.2 eq telnet ! ! line con 0 line aux 0 line vty 0 4 login local ! end To test the configuration, either attach a workstation to the Ethernet segment of 172.16.1.0/24 or use the washington router. The router will always use the address closest to the destination for the source address of IP packets. If you want to source a Telnet session from a different port, use the following command: ip telnet source-interface interface_name Example 14-10 first illustrates an unsuccessful ping from washington to jefferson. The user then authenticates with paine, followed by successful ping s to jefferson. After five minutes, the router paine will close the temporary hole and deny future access inbound to its Ethernet port. Notice how the Telnet session is immediately closed after authentication ”this is normal operation. Example 14-10 Testing the Dynamic Access Listwashington# washington# ping 128.200.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 128.200.1.5, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) washington# washington# washington# telnet 172.16.1.2 Trying 172.16.1.2 ... Open User Access Verification Username: franklin Password: [Connection to 172.16.1.2 closed by foreign host] washington# washington# washington# ping 128.200.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 128.200.1.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms washington# <<<After 5 minutes expires>>> washington# ping 128.200.1.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 128.200.1.5, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) washington# |
< Free Open Study > |