Re: Lock and Key (Dynamic ACLs)

From: gladston@br.ibm.com
Date: Thu Aug 25 2005 - 12:27:14 GMT-3

• Next message: Amit Jain: "Re: CCIE Lab Course recommendations?"
• Previous message: gladston@br.ibm.com: "IGMP Messages over Wan"
• Maybe in reply to: Ali.Huang: "Lock and Key (Dynamic ACLs)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Huang,

You can permit everything you want before the dynamic.

Example:

access-list 101 permit tcp any host 10.1.1.1 eq telnet
access-list 101 permit tcp 10.0.0.0 0.255.255.255 12.0.0.0 0.255.255.255
access-list 101 dynamic testlist timeout 15 permit ip 10.1.1.0 0.0.0.255

Packets sourced by 10.x.x.x destinated to 12.x.x.x will be allowed, even though Lock and key does not "open a hole".

================
quoted
But if it is a transmit router,not edge router,and I want to permit
other traffic from other users,and use this feature ,how to do?
If I add another last clause access-list 101 permit ip any any,it can work?
================

If you permit "ip any any" then you Lock and Key has no reason.

You see, there is no sense to implement lock and key between two routers. But, considering the lab can test anything, be aware to permit any control packets.

• Next message: Amit Jain: "Re: CCIE Lab Course recommendations?"
• Previous message: gladston@br.ibm.com: "IGMP Messages over Wan"
• Maybe in reply to: Ali.Huang: "Lock and Key (Dynamic ACLs)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:20 GMT-3