RE: Host keyword on Lock and Key

From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Fri Jul 23 2004 - 15:43:12 GMT-3

• Next message: James: "Re: AS-PATH REGEXP QUESTION!!!"
• Previous message: Sergio Jimenez Arguedas: "AS-PATH REGEXP QUESTION!!!"
• Maybe in reply to: gladston@br.ibm.com: "Host keyword on Lock and Key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here is an example of the access-enable command used without the host
option and with the host option:

Rack1R4#telnet 191.1.34.3
Trying 191.1.34.3 ... Open

User Access Verification

Username: cisco
Password:
Rack1R3>en
Password:
Rack1R3#who
    Line User Host(s) Idle Location
   0 con 0 idle 00:03:17
* 66 vty 0 cisco idle 00:00:00 191.1.34.4

  Interface User Mode Idle Peer Address

Rack1R3#show ip access-list 199
Extended IP access list 199
    10 permit tcp any any eq telnet (560 matches)
    20 Dynamic MYDYNACL permit icmp any any
Rack1R3#access-enable timeout 5 <-- WITHOUT HOST OPTION
Rack1R3#show ip access-list 199
Extended IP access list 199
    10 permit tcp any any eq telnet (650 matches)
    20 Dynamic MYDYNACL permit icmp any any
       permit icmp any any <-- ACL USES "ANY" AS THE SOURCE
Rack1R3#clear access-template 199 MYDYNACL any any <-- CLEAR THE ACL
Rack1R3#access-enable host timeout 5 <-- WITH HOST OPTION
Rack1R3#show ip access-list 199
Extended IP access list 199
    10 permit tcp any any eq telnet (770 matches)
    20 Dynamic MYDYNACL permit icmp any any
       permit icmp host 191.1.34.4 any <-- ACL USES THE HOST'S IP
ADDRESS
Rack1R3#clear access-template 199 MYDYNACL host 191.1.34.4 any
Rack1R3#show ip access-list 199
Extended IP access list 199
    10 permit tcp any any eq telnet (984 matches)
    20 Dynamic MYDYNACL permit icmp any any
Rack1R3#

Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
gladston@br.ibm.com
Sent: Friday, July 23, 2004 10:50 AM
To: ccielab@groupstudy.com
Subject: Host keyword on Lock and Key

What would be the behavior if configuring the keyword 'host' on
"autocommand access-enable" in this example?

interface ethernet0
 ip address 172.18.23.9 255.255.255.0
 ip access-group 101 in
access-list 101 permit tcp 168.192.1.0 255.255.255.0 host 172.18.21.2 eq
telnet
access-list 101 dynamic mytestlist timeout 120 permit ip any any
line vty 0
login local
autocommand access-enable timeout 5

• Next message: James: "Re: AS-PATH REGEXP QUESTION!!!"
• Previous message: Sergio Jimenez Arguedas: "AS-PATH REGEXP QUESTION!!!"
• Maybe in reply to: gladston@br.ibm.com: "Host keyword on Lock and Key"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Aug 01 2004 - 10:12:01 GMT-3