Dynamic (Lock-and-key) Access List configuration

Written on by admin on. Posted in ACLs

Dynamic (Lock-and-key) Access Control Lists are used to block user traffic until the user telnet to the router. Dynamic Access List is based on Extended ACL which starts with an entry that blocks traffic through the router. When the user try to telnet to the router a dynamic entry is added

in the ACL  that allow user traffic to pass, and telnet connection is dropped. Then user traffic will pass through the router until timeout timer expire. Better let’s analyze an example on a Cisco router. Check the topology below.


In our GNS3 Lab we have a Router that will filter client traffic to the Server by using a Dynamic Access List. In this lab, Client PC and the Server are simulated by two routers. I configured all interfaces with their IPs from the picture, and on Client and Server I added a default route which points to the Router, to reach Server from Client and viceversa. So, now I will do a ping from Client to Server.


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/47/80 ms

Further we need to block Client traffic to server until the Client telnets to Router, and traffic access through the router is granted. But before we configure the ACL, we need to configure telnet access on Router.

username usr password 0 pass
enable secret pass
line vty 0 4
 login local
 autocommand  access-enable host timeout 5

I created a username (usr) and a pssword (pass) and configured to login local on router (not on an Authentication Server). The line “autocommand access-enable host timeout 5” will trigger the ACL to  create a temporary access list entry and enable access for the host from which the telnet session was originated. The timeout 5 is idle timeout, if no activity will happen within these 5 minutes the access will be blocked. Now, the time has come for Dynamic ACL. It is done under global configuration mode

ip access-list extended 100 
 permit tcp host eq telnet
 dynamic MYLIST timeout 5 permit ip

interface fastEthernet 0/0
ip access-group 100 in

The first line in the ACL will grant access to telnet Router on IP address from network. Second line is the part of Dynamic Access List. This line allow traffic to flow from Client to Server. In this case timeout is the period of time the traffic is allowed to pass. The ACL is applied to interface fa 0/0 as inbound. At this time our ACL will look like this:

Router(config-ext-nacl)#do show access-list
Extended IP access list 100
    10 permit tcp host eq telnet
    20 Dynamic MYLIST permit ip

Now, let’s try to issue a ping from Client to Server:


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

Good! That’s what we were expecting. Further will telnet to Router to initiate dynamic ACL entry and allow traffic to pass.

Trying ... Open

User Access Verification

Username: usr
[Connection to closed by foreign host]
Now we have 5 minutes to enjoy our traffic flow from Client to Server. I issued a continuous ping :
Client#ping repeat 1000000

Type escape sequence to abort.
Sending 1000000000, 100-byte ICMP Echos to, timeout is 2 seconds:

... after five minutes

Please note that during 5 minutes in the ACL a new entry was present, see below
Router#show ip access-lists 
Extended IP access list 100
    10 permit tcp host eq telnet (81 matches)
    20 Dynamic MYLIST permit ip
       permit ip host (3251 matches) (time left 299)

The last entry was created dynamically and allow traffic from host (Client) to go to network (Server network).

That’s all for now, I hope you enjoyed this article !

Comments (4)

  • saleh


    Thanks bro,it was gr8


    • Ahmed


      Amazing Blog dude really Informative 🙂 God Bless You


  • M Zare




  • eb


    Tnx a lot


Leave a comment

8 − one =