|
|
This chapter describes the commands used to configure Lock-and-key security (IP only).
Other traffic filter commands are protocol-specific, and are therefore described in the appropriate protocol-specific chapters in the Cisco IOS command references. You should refer to these protocol-specific chapters to find detailed information about traffic filter commands for each protocol. (Many of these protocols refer to the filters as "access lists.")
Specific information about configuring traffic filters (access lists) for these protocols can be found in protocol-specific chapters in the Cisco IOS configuration guides. General guidelines for using access lists can be found in the "Configuring Traffic Filters" chapter of the Security Configuration Guide.
Lock-and-key security is implemented with extended IP dynamic access lists. Lock-and-key security is available only for IP traffic, but provides more security functions than traditional static traffic filters.
To enable the router to create a temporary access list entry in a dynamic access list, use the access-enable EXEC command.
access-enable [host] [timeout minutes]EXEC
This command first appeared in Cisco IOS Release 11.1.
This command enables the lock-and-key access feature.
You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the temporary access list entry will remain, even after the user terminates the session.
The following example causes the software to create a temporary access list entry and tells the software to enable access only for the host from which the Telnet session originated. If the access list entry is not accessed within 2 minutes, it is deleted.
autocommand access-enable host timeout 2
A dagger (+) indicates that the command is documented outside this chapter.
access-list (extended) +
autocommand +
To manually place a temporary access list entry on a router to which you are connected, use the access-template EXEC command.
access-template [access-list-number | name] [dynamic-name] [source] [destination] [timeout minutes]| access-list-number | Number of the dynamic access list. |
| name | Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists. |
| dynamic-name | (Optional) Name of a dynamic access list. |
| source | (Optional) Source address in a dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access-list entry. |
| destination | (Optional) Destination address in a dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access-list entry. |
| timeout minutes | (Optional) Specifies a maximum time limit for each entry within this dynamic list. This is an absolute time, from creation, that an entry can reside in the list. The default is an infinite time limit and allows an entry to remain permanently. |
EXEC
This command first appeared in Cisco IOS Release 11.1.
This command provides a way to enable the lock-and-key access feature.
You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the dynamic access list will remain, even after the user has terminated the session.
In the following example, the software enables IP access on incoming packets in which the source address is 172.29.1.129 and the destination address is 192.168.52.12. All other source and destination pairs are discarded.
access-template 101 payroll host 172.29.1.129 host 192.168.52.12 timeout 2
A dagger (+) indicates that the command is documented outside this chapter.
access-list (extended) +
autocommand +
clear access-template
To manually clear a temporary access list entry from a dynamic access list, use the clear access-template EXEC command.
clear access-template [access-list-number | name] [dynamic-name] [source] [destination]| access-list-number | (Optional) Number of the dynamic access list from which the entry is to be deleted. |
| name | Name of an IP access list from which the entry is to be deleted. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists. |
| dynamic-name | (Optional) Name of the dynamic access list from which the entry is to be deleted. |
| source | (Optional) Source address in a temporary access list entry to be deleted. |
| destination | (Optional) Destination address in a temporary access list entry to be deleted. |
EXEC
This command first appeared in Cisco IOS Release 11.1.
This command is related to the lock-and-key access feature. It clears any temporary access list entries that match the parameters you define.
The following example clears any temporary access list entries with a source of 172.20.1.12 from the dynamic access list named vendor:
clear access-template vendor 172.20.1.12
A dagger (+) indicates that the command is documented outside this chapter.
access-list (extended) +
access-template
To display the active accounting or checkpointed database or to display access-list violations, use the show ip accounting privileged EXEC command.
show ip accounting [checkpoint] [output-packets | access-violations]| checkpoint | (Optional) Indicates that the checkpointed database should be displayed. |
| output-packets | (Optional) Indicates that information pertaining to packets that passed access control and were successfully routed should be displayed. This is the default value if neither output-packets nor access-violations is specified. |
| access-violations | (Optional) Indicates that information pertaining to packets that failed access lists and were not routed should be displayed. |
If neither the output-packets nor access-violations keyword is specified, show ip accounting displays information pertaining to packets that passed access control and were successfully routed.
EXEC
This command first appeared in Cisco IOS Release 10.0.
To use this command, you must first enable IP accounting on a per-interface basis.
Following is sample output from the show ip accounting command:
Router# show ip accounting
Source Destination Packets Bytes
172.30.19.40 172.30.67.20 7 306
172.30.13.55 172.30.67.20 67 2749
172.30.2.50 172.30.33.51 17 1111
172.30.2.50 172.30.2.1 5 319
172.30.2.50 172.30.1.2 463 30991
172.30.19.40 172.30.2.1 4 262
172.30.19.40 172.30.1.2 28 2552
172.30.20.2 172.30.6.100 39 2184
172.30.13.55 172.30.1.2 35 3020
172.30.19.40 172.30.33.51 1986 95091
172.30.2.50 172.30.67.20 233 14908
172.30.13.28 172.30.67.53 390 24817
172.30.13.55 172.30.33.51 214669 9806659
172.30.13.111 172.30.6.23 27739 1126607
172.30.13.44 172.30.33.51 35412 1523980
172.30.7.21 172.30.1.2 11 824
172.30.13.28 172.30.33.2 21 1762
172.30.2.166 172.30.7.130 797 141054
172.30.3.11 172.30.67.53 4 246
172.30.7.21 172.30.33.51 15696 695635
172.30.7.24 172.30.67.20 21 916
172.30.13.111 172.30.10.1 16 1137
Table 8 describes fields shown in the display.
| Field | Description |
|---|---|
| Source | Source address of the packet |
| Destination | Destination address of the packet |
| Packets | Number of packets transmitted from the source address to the destination address |
| Bytes | Number of bytes transmitted from the source address to the destination address |
Following is sample output from the show ip accounting access-violations command. (The following displays information pertaining to packets that failed access lists and were not routed.)
Router# show ip accounting access-violations
Source Destination Packets Bytes ACL 172.30.19.40 172.30.67.20 7 306 77
172.30.13.55 172.30.67.20 67 2749 185
172.30.2.50 172.30.33.51 17 1111 140
172.30.2.50 172.30.2.1 5 319 140
172.30.19.40 172.30.2.1 4 262 77
Accounting data age is 41
Table 9 describes fields shown in the display.
| Field | Description |
|---|---|
| Source | Source address of the packet |
| Destination | Destination address of the packet |
| Packets | For accounting keyword, number of packets transmitted from the source address to the destination address
For access-violations keyword, number of packets transmitted from the source address to the destination address that violated the access control list |
| Bytes | For accounting keyword, number of bytes transmitted from the source address to the destination address
For access-violations keyword, number of bytes transmitted from the source address to the destination address that violated the access-control list |
| ACL | Number of the access list of the last packet transmitted from the source to the destination that failed an access list |
A dagger (+) indicates that the command is documented outside this chapter.
clear ip accounting +
ip accounting +
ip accounting-list +
ip accounting-threshold +
ip accounting-transits +
|
|