[c-nsp] Modifying ACLs on production router

Andrew Yourtchenko ayourtch at cisco.com
Tue Oct 7 10:20:20 EDT 2008 


On Sun, 5 Oct 2008, Justin Shore wrote:

> FEATURE REQUEST
> We need a sub-command of 'show ip access-list' that tells us what interfaces 
> a given ACL is applied to.  Something simple like
>
> show ip access-list <acl> interfaces
>
> We already have 'sh ip access-list interface <int>' but that requires one to 
> increment through all the interfaces.  I just want to know the name/number 
> and direction of an ACL.  That's all.  That's what we need for easy script 
> processing.

Justin,

how about something like this:

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#alias exec where-acl show ip int | inc ine pro|list is
Router(config)#^Z
Router#where-acl
Ethernet0/0 is up, line protocol is up
   Outgoing access list is 124
   Inbound  access list is 123
Ethernet1/0 is administratively down, line protocol is down
   Outgoing access list is 124
   Inbound  access list is foobar
Serial2/0 is administratively down, line protocol is down
Serial3/0 is administratively down, line protocol is down

Router#where-acl foobar
Ethernet0/0 is up, line protocol is up
Ethernet1/0 is administratively down, line protocol is down
   Inbound  access list is foobar
Serial2/0 is administratively down, line protocol is down
Serial3/0 is administratively down, line protocol is down
Router#

Router#where-acl 123
Ethernet0/0 is up, line protocol is up
   Inbound  access list is 123
Ethernet1/0 is administratively down, line protocol is down
Serial2/0 is administratively down, line protocol is down
Serial3/0 is administratively down, line protocol is down
Router#

Router#where-acl 124
Ethernet0/0 is up, line protocol is up
   Outgoing access list is 124
Ethernet1/0 is administratively down, line protocol is down
   Outgoing access list is 124
Serial2/0 is administratively down, line protocol is down
Serial3/0 is administratively down, line protocol is down
Router#

Admittedly, the output of this "command" is not the prettiest one around 
(the linenoise of "empty" interfaces, and the fact that the interface 
name and ACL number/direction are not on the same line would require an 
additional regexp match branch and accumulator variable - but this has the 
advantage of being quite portable, since "show ip interface" was there for 
quite a while.

Obviously within the script you'd issue the pipeline combo itself, rather 
than defining the alias.

cheers,
andrew

More information about the cisco-nsp mailing list