Dynamic ACL
Principle: Dynamic ACL at the beginning of the corresponding data packets rejected by the user, when the user authentication is successful, the provisional release of the data, but at the end of the session, then the ACL restore the initial configuration. To define Dynamic ACL when to restore the initial configuration, you can define the session timeout, that is how long the session did not pass data, disconnect, you can also define the absolute time, that is, whether the session has not ended, to the specified time, but also disconnected.
Topology
Configuration Steps
1 ip address configuration port, remote login account password
Test connectivity
R2 telnet R4
Commands
r1 (config) # access-list 100 permit tcp an an eq telnet // default configuration data can be passed without authentication, such as telnet
r1 (config) # access-list 100 dynamic ccie timeout 2 permit icmp any any // configuration certification
After to pass data, such as ICMP, absolute time is 2 minutes.
ACL applied to port
r1(config)#int f0/0
r1(config-if)#ip access-group 100 in
Test: when no authentication, R2 ping R4
Configure the local user database
r1(config)#username ccie password cisco
Configured user name everyone has access
r1(config)#line vty 0 4
r1(config-line)#login local
r1(config-line)#autocommand access-enable
Authenticate using R2
After authentication, R2 ping R4
View acl