Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

Dynamic Acl

Hi every body!My book says;

" imagine a set of servers that need to be accessed by a small set of users. With acls, you can match the ip addresses of the host used by users. However, if the users borrows another pc, or leases a new address using dhcp or takes her laptop home and so on. the legitimate user now has a different ip address. So a traditional acl would have to be edited to support each new ip address.

Dynamic acl sloves this problem by tying the acl to a user name authentication process. Instead of starting by trying to connect to the server, the users must be told to first telnet to a router.The router asks for user name/password combination. If it is authentic,the router dynamically changes its acl."

Now my questions Does it mean user has to check every time he wants to connect to server if its ip address is same or changed. If changed then user knows he has to telnet first to router. Am i correct? If it is correct then it put alot of burdens on users .

thanks a lot!

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: Dynamic Acl

Now my questions Does it mean user has to check every time he wants to connect to server if its ip address is same or changed. If changed then user knows he has to telnet first to router. Am i correct? If it is correct then it put alot of burdens on users .

Correct. That's the reason this implementation is not ideal for 'user' environment. You will see this kind of implementation mostly done in secured environments where Network Engineers need access to but adding a form of authentication to get there.

If you want to read more about it from CCO, check out this URL

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_lock_key_secrty_ps6350_TSD_Products_Configuration_Guide_Chapter.html

When are you taking the exam?

__

Edison.

7 REPLIES
Community Member

Re: Dynamic Acl

The user will not need to check his IP address. All he needs to do is telnet to the router. When he authenticates to the router the dynamic ACL will change to all access to the server.

Bronze

Re: Dynamic Acl

Thanks for your reply.

Let me make my point

h---------s0R e0------------------server

R has access-list 110 permit ip host 199.199.199.1 any

As long as host has this ip address , it can access server,

Now host is turned off and then turned on and was assigned different ip address.

This time host has to telnet into router to provide username/password. My question how host determines when to telnet router when not to telnet router without checking if ip address has changed?

Re: Dynamic Acl

Hi Sarah,

You can change the acl to allow the range of ip addresses that is distributed by DHCP to the hosts.

Example:

If you have the following in the DHCP pool:

ip dhcp pool MYPOOL

network 199.199.199.0 /24

Then your dynamic ACL entry could be:

access-list 110 dynamic timeout XX permit ip 199.199.199.0 0.0.0.255 any

In this case, if the host is switched off and gets another ip address from the DHCP server from the 199.199.199.0 /24 range, it does not need to reauthenticate, because the dynamic ACL entry allows the range of ip addresses and it may still be in place, depending on the timeout value.

You should know that dynamic ACL entries time out after some time. If the entry times out then the host will need to reauthenticate at the router anyway.

You can also set the timeout values as it is given in the example.

Cheers:

Istvan

Bronze

Re: Dynamic Acl

Thanks Istvan.

My intention is to understand dynamic acl . i understand there is alternative to dynamic acl as you mentioned one in your post. My goal is to understand how dynamic acl works.

Let revisit my question.

host----------r--------server

r is also connected to internet besides host which is inside the enterprise network.

Let say r has dynamic acl configured allowing connection through for 199.199.199.0/24 network

Now let say host is laptop, the user moved to different part of the country and want to access the server. He connects to internet from internet it gets to " r". Now how would user decide if he has to authenticate first or not if he does not check his ip address. By checking ip address user can decides if the ip address is the same or has changed. In our case, the ip address has changed so user knows he has to telnet first to " r" then having authenticated himself, he will be allowed to access server.

My question remains the same does user has to check his ip address if it has changed or not? if not then how user decides whether he has telnet into router for authentication or not?

Thanks a lot!

Re: Dynamic Acl

Hi Sarah,

Of course, a simple user has no idea of how his computer connects to the server, so he/she should not deal with any ip addresses.

The distribution of ip addresses through DHCP and the dynamic ACL entry have to be coordinated so this works automatically for the user.

The user has no option to decide about authenticating or not.

He must authenticate any time and that's all. No question.

But, do not consider this authentication method as the most scalable, secure and reliable in the world.

This type of authentication is not scalable to large networks, and will not replace AAA, Network Admission Control and other best practices for security.

Cheers:

Istvan

Hall of Fame Super Bronze

Re: Dynamic Acl

Now my questions Does it mean user has to check every time he wants to connect to server if its ip address is same or changed. If changed then user knows he has to telnet first to router. Am i correct? If it is correct then it put alot of burdens on users .

Correct. That's the reason this implementation is not ideal for 'user' environment. You will see this kind of implementation mostly done in secured environments where Network Engineers need access to but adding a form of authentication to get there.

If you want to read more about it from CCO, check out this URL

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_lock_key_secrty_ps6350_TSD_Products_Configuration_Guide_Chapter.html

When are you taking the exam?

__

Edison.

Bronze

Re: Dynamic Acl

Thanks Edison ! Exam itself is not my goal.

I will take in few moths after i master the basics and routing concept, . Most of my questions are not even relevant to ccnp routing exam. But by discovering answers to my weird questions help me understand the concept better.

Thanks and have a nice weekend!

487
Views
0
Helpful
7
Replies
CreatePlease to create content