The lock and key ACL is one of those features you’re not sure how to use in
production but it is viable for the CCIE lab. The lock and key ACL is a form of dynamic
ACL which requires a key before unlocking access. The lock and key ACL can only
have one dynamic entry per ACL.

We will be looking at a very simple topology with 3 routers. R2 will act as a
firewall for traffic coming from R1 going to R3. We will create an ACL that
denies telnet to R3’s loopback but allows everything else. We will run OSPF for
reachability but configuring it is out of scope for this post.

This is the topology.

All 3 routers have been configured with transit links and a
loopback address of, or All the magic
will occur on R2.

First we verify that we have reachability from R1 to R3 through
ICMP and telnet.

Reachability is good. Now we will start configuring the dynamic ACL on R2.

Lets try if we can telnet from R1.

As expected we can telnet to the Fa0/0 interface but not the loopback.

Now we need to create an user on R2 that will unlock the dynamic
ACE on R2. We also need to use the autocommand feature.

Now we have created the user and enabled the autocommand feature.
The autocommand will execute a command when the user logs in. The
enable-access feature is used to activate they dynamic ACE in the ACL.
We also need to enable local login on the VTY lines on R2.

Now we will login to R2 from R1 and see if we can telnet to R3.

After authenticating we get kicked out and the ACE has now been activated. We can now
telnet to R3’s loopback.

Lets look at the ACL on R2.

You can see that there is a dynamic entry allowing us to telnet to the loopback of R3.

So summarizing lock and key is a cool feature that is not very usable in real life but a
good tool to have on your lab exam.

You can download the configs, both initial and final and the .net file from here.
Don’t forget to set image dir and working dir.

Lock and key ACL
Tagged on:         

3 thoughts on “Lock and key ACL

  • May 27, 2011 at 8:41 pm

    Hi Daniel,

    Many Thanks for sharing this.

    I think it would be an icing on the cake.

    Once this dynamic acl gets populated,on R2, everyone is allowed to get access to the therefore if “autocommand access-enable” is followed by “host” keyword it will allow only that particular ip address which telnetted to the router R2

    Please correct me if i am wrong.

    • May 27, 2011 at 10:51 pm

      Hi goldie,

      You are correct, the host keyword should be used to if you want to be more specific in the ACL.


Leave a Reply

Your email address will not be published. Required fields are marked *