Topology
Address planning table
| Equipment name |
port |
IP |
Mask |
| R1 |
F0 / 0 |
10.29.1.1 |
24 |
| F0 / 1 |
10.29.2.1 |
24 |
|
| R2 |
F0 / 0 |
10.29.1.2 |
24 |
| R3 |
F0 / 0 |
10.29.1.3 |
24 |
| R4 |
F0 / 1 |
10.29.2.2 |
24 |
Configuration Steps
1 ip address configuration port, remote login account password
R 1 R 4
Account: HYS account: ys
Password: 123 Password: 123
Test connectivity
R2 telnet R4
Commands
r1 (config) # access-list 100 permit tcp an an eq telnet // configuration data without authentication by default, such as telnet
r1 (config) # access-list 100 dynamic ccie timeout 2 permit icmp any any // After authentication configured to pass data, such as ICMP, the absolute time of 2 minutes.
Application ACL to port
r1(config)#int f0/0
r1(config-if)#ip access-group 100 in
Test : when no authentication, R2 R4 of ping
After authentication, R2 R4 of ping
At this point, the dynamic ACL verification success
总结:通过本次实验,我了解到了动态ACL的原理是:Dynamic ACL在一开始拒绝用户相应的数据包通过,当用户认证成功后,就临时放行该数据,但是在会话结束后,再将ACL恢复最初的配置。要定义Dynamic ACL什么时候恢复最初的配置,可以定义会话超时,即会话多久没有传数据,就断开,也可以定义绝对时间,即无论会话有没有结束,到了规定时间,也要断开。与自反不同的是,它先需要主动登录进行认证,而自反ACL是通过自动给通过报文打上标签,为其打开回送的缺口。