[c-nsp] Modifying ACLs on production router
Ed Ravin
eravin at panix.com
Sun Oct 5 15:03:08 EDT 2008
On Sun, Oct 05, 2008 at 12:37:34PM -0600, Matlock, Kenneth L wrote:
> If you have an access-list on an interface, and that access-list
> didn't exist then it got interpreted as a 'permit ip any any'. As
> soon as you add the first line of the ACL, it then becomes a default
> of 'deny ip any any' after the line you put in. So if you remove
> an access-list, and put the lines back in, during the timeframe
> between the first line, and the last, it will affect production
> traffic. (Or in my case, I was modifying an ACL in the interface
> 'closest' to me, and when the first line got added it cut off all
> my management traffic....)
Yes, the aclmaker script was written with those scenarios in mind and
is very careful to not let that happen when it updates ACLs.
> So from then on, I've always removed the ACL from the interface,
> removed the ACL, rebuilt it, and re-applied it to the interface.
> If you have the lines copied into a clipboard, you can paste the
> stuff in fairly quickly, and not really allow much 'bad' traffic
> in.
The limitations of cut-and-paste were what provoked me to write aclmaker.
I had an ACL that kept getting longer and longer - after it got to 150
lines I realized there had to be a better way.
Another better way, especially if you prefer point-and-click stuff, is
Telconi Terminal - see http://www.telconi.com/ . They provide a GUI or
"craft terminal" interface to Cisco routers. According to the docs, the
most recent versions do some smart synchronization with access lists - I
recall emailing them about one of the beta versions suggesting they copy
aclmaker's strategies.
More information about the cisco-nsp
mailing list