↪️
ccie.nyquist.eu
  • Table of Contents
  • Layer 2 Technologies
    • Ethernet Switching
      • L2 Switch Operations
      • Spanning Tree
        • 802.1d – STP
        • 802.1w – RSTP
        • 802.1s – MSTP
      • VTP 101
      • Private VLANs
      • VLANs
      • EtherChannel 101
    • Layer 2 WAN Protocols
      • HDLC
        • HDLC 101
      • PPP
        • PPP 101
        • PPP Authentication - PAP
        • PPP Authentication – CHAP
        • PPP Authentication – EAP
        • PPP Multilink
        • PPPoFR – PPP over Frame Relay
        • PPPoE – PPP over Ethernet
      • Frame Relay
        • Frame Relay 101
        • Frame Relay 102
        • Frame Relay Encapsulations – IETF vs Cisco
        • Multilink Frame Relay
        • Frame Relay Switching
        • Routing over Frame Relay
      • Bridging
        • Bridging on a router
        • MTU 101
    • Wireless
      • Wireless Principles
      • Wireless Implementations
      • Wireless Roaming
      • Wireless Authentication
        • WPA2 PSK
        • WPA2 802.1X
  • IPv4
    • IPv4 Addressing
      • Backup Interfaces
      • FHRP 101
      • DHCP 101
      • DNS 101
      • ARP 101
      • IPv4 101
      • Tunnel Interfaces
        • GRE Tunnels
      • BFD – Bidirectional Forwarding Detection
    • IPv4 Routing
      • How the routing table is built
        • How CEF works
        • Routing Order of Operations
        • NSF – Non Stop Forwarding
      • RIP
        • RIP 101
      • EIGRP
        • EIGRP 101
        • EIGRP Metric
        • More EIGRP Features
      • OSPF
        • OSPF 101
        • OSPF Areas
        • OSPF LSAs
        • OSPF Mechanics
      • IS-IS
        • IS-IS 101
        • IS-IS Mechanics – CLNP
      • BGP
        • BGP 101
        • BGP Attributes
        • More BGP
      • Route Redistribution
      • Policy based Routing
      • PfR 101 – Perfromance Routing
      • ODR
  • IPv6
    • IPv6-101
    • IPv6 Routing
    • Interconnecting IPv6 and IPv4
  • MPLS
    • MPLS 101
    • MPLS L3 VPN
  • Multicast
    • Multicast 101
    • PIM 101
    • IGMP 101
    • Inter Domain Multicast
    • IPv6 Multicast
    • Multicast features on switches
  • Security
    • NAT 101
    • NAT for Overlapping Networks
    • ACLs 101
    • ACLs 102
    • Cisco IOS Firewall
    • Zone Based Firewall
    • AAA 101
    • Controlling CLI Access
    • Control Plane
    • Switch Security
      • Switchport Traffic Control
      • Switchport Port Security
      • DHCP Snooping and DAI
      • 802.1x
      • Switch ACLs
    • IPSec VPN 101
      • IKE / ISAKMP 101
      • IPSEC Crypto Maps 101
      • IPSEC VTI 101
      • DMVPN 101
    • EAP 101
  • Network Services
    • NTP 101
    • HTTP 101
    • File Transfer 101 – TFTP & FTP
    • WCCP 101
  • QoS
    • QoS 101
    • Classification and Marking
    • Congestion Management
      • Legacy Congestion Management
      • SPD – Selective Packet Discard
      • CBWFQ
      • IP RTP Priority
    • Congestion Avoidance – WRED
    • Policing and Shaping
      • CAR 101
    • Compression and LFI
      • Header and Payload Compression
      • LFI for MultiLink PPP
    • Frame Relay QoS
      • Per VC Frame Relay QoS
    • RSVP 101
    • Switching QoS
  • Network Optimization
    • NetFlow 101 – TNF – Traditional NetFlow
    • NetFlow 102 – FNF – Flexible NetFlow
    • IP SLA 101
    • IP Accounting 101
    • Logging 101
    • SNMP and RMON 101
    • Cisco CLI Tips and Tricks
    • AutoInstall
    • Enhanced Object Tracking
    • Troubleshooting 101
    • SPAN, RSPAN, ERSPAN
  • Network Architecture
    • Hierarchical Network Architecture
    • SD Access
    • SD WAN
Powered by GitBook
On this page
  • Time-based ACLs
  • Reflexive ACLs
  • Dynamic ACLs – Lock-and-Key

Was this helpful?

  1. Security

ACLs 102

Time-based ACLs

Define the time range:

R(config)# time-rage TIME-RANGE
R(config-time-range)# periodic DAYS-OF-WEEK HH:MM to [DAYS-OF-WEEK] HH:MM
! adds a recurring time to the time-range
! DAYS-OF-WEEK: daily (M-S), weekdays(M-F), weekend(S,S), Monday, Tuesday, ...
R(config-time-range)# absolute [start TIME DATE][end TIME DATE]
! adds an absoulte time to the time-range
! Only one absolute time is permitted in one time-range

Add the time-range to the ACL:

R(config)# access-list ACL {permit|deny} ... time-range TIME-RANGE
R(config-std-nacl)# {permit|deny} ... time-range TIME-RANGE
R(config-ext-nacl)# {permit|deny} ... time-range TIME-RANGE

Reflexive ACLs

A reflexive ACL is used to permit outgoing traffic that was originated on one side of the connection (inside) and allow the returning packets from the other side (outside), but to deny traffic that was originated from the other side (outside). You can only use an extended named ACL to implement Reflexive ACLs

!Define the ACL that will permit traffic on the Inside:
R(config)# ip access-list extended ACL-OUTGOING
R(config-ext-nacl)# permit PROTOCOL SRC-IP WILDCARD DST-IP WILDCARD reflect REFLECT-NAME [timeout seconds]
! Defines the ACL that will permit traffic on the Outside:
R(config)# ip access-list extended ACL-INCOMING
R(config-ext-nacl)# evaluate REFLECT-NAME

The default timeout for dynamic entries in a reflexive ACL si 5 minutes but this can be changed per ACE or globally:

R(config)# ip reflexive-list timeout SEC

Usually, the ACL that matches outgoing traffic is set on the inside interface, while the ACL that evaluates the reflexive entries is set either on the outside interface on the incoming direction, or on the inside interface on the outgoing direction

! Apply OUTGOING-ACL
R(config)# interface INSIDE
R(config-if)# ip access-group ACL-OUTGOING in
! Apply INCOMING-ACL
R(config)# interface OUTSIDE
R(config-if)# ip access-group ACL-INCOMING in
! OR
R(config)# interface INSIDE
R(config-if)# ip access-group ACL-INCOMING out

Dynamic ACLs – Lock-and-Key

This feature allows an IOS router do dynamically add ACEs in an ACL, in order to allow traffic for specific users. Users that need to pass traffic that is normally blocked by an ACL, can use telnet to logon to the router which then will dynamically add entries to the ACL in order to let them pass the filter. First, configure the ACL and include a dyanmic template:

R(config-ext-acl)# {permit|deny}...
R(config-ext-acl)# dynamic DYNAMIC-NAME [timeout MIN] {permit|deny} ...

The ACL should be applied on an interface but the dynamic ACEs will not be used in the ACL until a users authenticates itself using telnet. We will set this using the autocommand setting, defined on a line or on a username.

! Define user autocommand
R(config)# username USER autocommand access-enable [host] [timeout MIN]
! Define line autocommand
R(config-line)# autocommand access-enable [host] [timeout MIN]

The access-enable command will add the dynamic entries in the ACL. When using the host keyword, the ACE will only allow traffic from the host that connected via telnet. Otherwise, it will allow traffic from anybody.

Usually, you enable dynamic extension of the timeout period. If you login again, the timeout period is extended for each new login, otherwise the dynamic entries will be deleted from the ACE after they expire. To enable this feature, use:

R(config)# access-list dynamic-extend

You can manually clear dynamic entries using:

R# clear access-template ACL [DYNAMIC-NAME]
PreviousACLs 101NextCisco IOS Firewall

Last updated 3 years ago

Was this helpful?