[[nsp] ACLs]

Jared Mauch jared at puck.nether.net
Fri Feb 28 14:22:52 EST 2003 

On Fri, Feb 28, 2003 at 08:18:33PM +0100, Florian Weimer wrote:
> "Shalosky, Brian K Mr CONT USAREC" <Brian.Shalosky at usarec.army.mil> writes:
> 
> >  Note   The first command of an edited access list file should delete the
> > previous access list (for example, type a no access-list command at the
> > beginning of the file).
> 
> If you do this, there is a time window during which the router
> forwards more packets than it should.
> 
> Has anybody found an approach which avoids this effect?

	Not without disrupting service.

	You can always shut down an interface while you change filtering,
or in the case of a lan interface, if you're doing VRRP/hsrp, you could
change it on the backup, swap it to primary then change the filter
there.

	Any other way you're talking about would be something along
the lines of the Juniper-style 'commit' strategy which is a bit more
ideal in managing these things.

	Interesting side comment:

	12.2S seems to have some sort of hidden internal acl numbering,
you may be able to take advantage of this to insert/delete specific
lines.

Example:

Router#sh access-list 2699
Extended IP access list 2699
    10 permit udp host 192.168.10.10 10.99.0.0 0.0.3.255 (118178 matches)
    20 deny udp any 10.99.0.0 0.0.3.255 eq snmp log (4 matches)
    30 deny ip 10.99.0.0 0.0.3.255 any log (7 matches)
    40 deny udp any any eq 1812 log
    50 deny tcp any any eq 137 (54 matches)
    60 deny udp any any eq netbios-ns (783220 matches)
    70 deny tcp any any eq 138 (6 matches)
    80 deny udp any any eq netbios-dgm
    90 deny tcp any any eq 139 (49610 matches)
    100 deny udp any any eq netbios-ss
    110 deny tcp any any eq 445 (28075 matches)
    120 deny tcp any any eq 1434 (934 matches)
    130 deny udp any any eq 1434 (122970 matches)
    140 deny udp any any eq rip
    150 deny udp any any eq syslog
    160 deny udp any any eq bootpc
    170 deny udp any any eq bootps (9 matches)
    180 deny udp any any eq snmptrap
    190 deny udp any any eq sunrpc (17 matches)
    200 permit ip any any (33147725 matches)


> 
> -- 
> Florian Weimer 	                  Weimer at CERT.Uni-Stuttgart.DE
> University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
> RUS-CERT                          fax +49-711-685-5898
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

More information about the cisco-nsp mailing list