From: YourPal (dearprudence28@gmail.com)
Date: Sun Mar 16 2008 - 09:55:22 ART
Hi Group,
I configured the following dynamic ACL with idle timeout of 1 minute and an
unspecified absolute timeout:
!
username CISCO password 0 CISCO
username CISCO autocommand access-enable host timeout 1
!
interface FastEthernet0/0
ip access-group 190 in
!
access-list 190 dynamic DYNACL permit tcp any any eq www
access-list 190 deny tcp any any eq www
access-list 190 permit ip any any
!
line vty 0 4
login local
!
A user successfully authenticates with the router. After that, his web
traffic can pass through the router. A timer appears next to the dynamic
entry, as follows:
R1#sh access-l 190
Extended IP access list 190
10 Dynamic DYNACL permit tcp any any eq www
permit tcp host 172.16.105.5 any eq www (23 matches) (time left 30)
20 deny tcp any any eq www (3 matches)
30 permit ip any any (1182 matches)
I let the timer countdown to 0. When it hit 0, the dynamic entry was still
there and took quite awhile to be removed ! The user's web traffic can still
pass through. I was expecting the dynamic entry to be removed as soon as the
idle timeout expires and the user needs to reauthenticate.
Did I configure it wrongly? Kindly shed some light.
Thank you.
BR,
Emil
This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART