From: gladston@br.ibm.com
Date: Thu Aug 25 2005 - 14:47:08 GMT-3
Absolute timeout on dynamic access-list takes the next 59 seconds.
That is, if specifying 2, it will take 2:59 to be removed from the dynamic ACL.
Rack2R5#sh clock
14:30:02.573 PST Thu Aug 25 2005 <-----------
Rack2R5#sh access-list 116
Extended IP access list 116
10 permit tcp any host 148.5.57.5 eq telnet (192 matches)
20 permit igmp any any
30 permit pim any any
40 permit ospf any any (264 matches)
50 permit udp any eq pim-auto-rp any eq pim-auto-rp
60 permit tcp any any eq bgp
70 permit tcp any eq bgp any
80 permit gre any any
90 Dynamic DYNAMIC-or-Lock-and-key permit icmp any any
permit icmp host 148.5.57.7 any (879 matches) (time left 59)
100 deny ip any any log-input (2109 matches)
Aug 25 14:32:56: %SEC-6-IPACCESSLOGDP: list 116 denied icmp 148.5.57.7 (Ethernet0/0 000b.fdc7.c180) -> 148.5.57.5 (3/13), 2 packets
Any comments appreciated.
I am wondering if the task says that the dynamic entry should not be longer than 4 minutes, we would mind with the IOS behavior and configure "3" on dynamic accesss-list, which would result in the entry for 3:59.
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:20 GMT-3