The lock and key ACL is one of those features you’re not sure how to use in
production but it is viable for the CCIE lab. The lock and key ACL is a form of dynamic
ACL which requires a key before unlocking access. The lock and key ACL can only
have one dynamic entry per ACL.
We will be looking at a very simple topology with 3 routers. R2 will act as a
firewall for traffic coming from R1 going to R3. We will create an ACL that
denies telnet to R3’s loopback but allows everything else. We will run OSPF for
reachability but configuring it is out of scope for this post.
This is the topology.
All 3 routers have been configured with transit links and a
loopback address of 18.104.22.168, 22.214.171.124 or 126.96.36.199. All the magic
will occur on R2.
First we verify that we have reachability from R1 to R3 through
ICMP and telnet.
Reachability is good. Now we will start configuring the dynamic ACL on R2.
Lets try if we can telnet from R1.
As expected we can telnet to the Fa0/0 interface but not the loopback.
Now we need to create an user on R2 that will unlock the dynamic
ACE on R2. We also need to use the autocommand feature.
Now we have created the user and enabled the autocommand feature.
The autocommand will execute a command when the user logs in. The
enable-access feature is used to activate they dynamic ACE in the ACL.
We also need to enable local login on the VTY lines on R2.
Now we will login to R2 from R1 and see if we can telnet to R3.
After authenticating we get kicked out and the ACE has now been activated. We can now
telnet to R3’s loopback.
Lets look at the ACL on R2.
You can see that there is a dynamic entry allowing us to telnet to the loopback of R3.
So summarizing lock and key is a cool feature that is not very usable in real life but a
good tool to have on your lab exam.
You can download the configs, both initial and final and the .net file from here.
Don’t forget to set image dir and working dir.