LAB 10.6.4 Lock-and-Key Security (Dynamic Access Lists)

Objective:

Demonstrate the use of Lock-and-Key security (dynamic access lists).

Equipment Requirements:

  • Two routers 
  • One switch with two VLANs set or two switches or two hubs 
  • Two workstations

Preliminary:

Construct the above network, using IGRP as your routing protocol. Use the network address 172.32.3.0/24 on the serial link between the two routers.

The router ip configurations are as follows:

Router-A Router-B
E0=172.32.4.1 E0=172.32.2.1
S0=172.32.3.1 S1=172.32.3.2
SM=255.255.255.0 SM=255.255.255.0

When construction of the network is complete, verify that routers can communicate and are sharing their routing tables. Also verify that the workstations can communicate together correctly. For verification use the show ip route command, show interfaces command, show running-configurationcommand, ping, telnet, and any other relevant command(s).

Scenario:

For this Lab we will be using Router-B as the border router where we will configure the lock-and-key security (dynamic access list). We want to prevent the users in subnetwork 172.32.2.0 from accessing the rest of the network unless they have the correct username and password.

From the "Router-B" console:

Step 1

  • Enter the EXEC mode.

Step 2

  • Enter the configuration mode by entering configure terminal command at the router prompt.

Step 3

Setup the access list

  • Enter access-list 103 permit tcp any host 172.32.2.1 eq telnet

What does this one line of the access list do?

  • Enter access-list 103 dynamic mytest103 timeout 5 permit ip any any

What does this one line of the access list do?

Step 4

Apply the access list to the correct interface, and in the correct direction.

  • Enter interface ethernet 0 Enter ip access-group 103 in
  • Enter exit

Will the access list be applied to information coming into interface e0 or will it be applied to information coming out of interface e0?

Step 5

Define the virtual terminals that will be used for Lock-and-Key

  • Enter line vty 0 3
  • Enter login local
  • Enter autocommand access-enable host timeout 2
  • Enter exit

Note: If we left out the word "host", as soon as anyone entered a correct lock-and-key username password, then everyone one the subnetwork would have access to the rest of the network.

Which virtual terminals did we use for lock-and-key?

In the last command that we entered, what does the "timeout 2" mean?

Step 6

Configure user authentication, for all users required.

  • Enter username john password doe
  • Enter username mary password jane
  • Enter CTRL-Z
  • Enter copy running-configuration startup-configuration

Why did we copy the running configuration to the startup config?

Step 7

Verify that lock-and-key is working correctly

From a workstation on subnetwork 172.32.2.0

  • Try to ping the workstation on subnetwork 172.32.4.0

Were you successful?

  • Try to telnet to 172.32.3.1 (Router-A)

Were you successful?

  • Telnet to 172.32.2.1 (Router-B)
  • Enter username john
  • Enter password doe

What happened next?

  • Now try to ping the workstation on subnet 172.32.4.0

Were you successful?

  • Now try to telnet to 172.32.3.1 (Router-A)

Were you successful?

Why were you successful this time?

Step 8

Check the access list on the router.

  • From Router-B EXEC prompt:
  • Enter show access-lists

What has changed in the access list?

  • Enter clear access-template 103 mytest103 host x.x.x.x any
  • Enter show access-lists

What has changed in the access list?