access-list 102 permit tcp any host 172.16.1.2 eq telnet
Apply this ACL to the interface on which the user is connected:
interface Ethernet0
ip address 172.16.1.2 255.255.255.0
ip access-group 102 in
The ACL will show as follows after a user has successfully authenticated, and a dynamic entry will be populated
in the extended ACL with the source address of the host. In the sample output that follows, the user host
address is 172.16.1.5, and the user is allowed to connect to the SMTP server at 192.168.1.1. All other traffic
from this host is blocked.
Code View:
Router# show access-lists
Extended IP access list 102
10 Dynamic myacl permit tcp any host 172.16.1.1 eq smtp
permit ip host 172.16.1.5 permit tcp any host 192.168.1.1 eq smtp (time left
160)
20 permit tcp any host 172.16.1.2 eq telnet (104 matches)
The dynamic entry is appended in the ACL for every user who passes authentication, based on the source IP
address.
Reflexive ACLs
Reflexive ACLs allow IP packets to be filtered based on upper-layer session information. Reflexive ACLs are
generally used to allow outbound traffic and to limit inbound traffic in response to sessions originating inside the
router. A reflexive ACL is similar to the Context-Based Access Control (CBAC), which will be discussed in
Chapter 5.
Pages:
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97