[c-nsp] Applying ACL

[Ed Ravin]

On Fri, Jun 01, 2007 at 10:11:16AM +0300, John Kougoulos wrote:
> my preferred method is to upload the acl with tftp, ofcourse with the 
> first line  "permit tcp any any established"
...
> Gert Doering wrote:
>> But usually you're dead in the water as soon as you copy-and-paste a
>> new version of the ACL and the first line gets active, prohibiting any
>> further lines to go through...

My handy script, aclmaker, takes care of most of these issues automatically.
It uploads a test version of the ACL with a different name to assure
that the syntax is OK, then modifies the access-group statement for
each interface that references the ACL to point to the test ACL, then
re-uploads the new ACL with the right name, and finally switches the
access-group statements back to the new ACL under its correct name
so that the switchover to the new ACL happens in one stroke.

If you use aclmaker, you will only get locked out if you write an ACL that
locks you out.  There are never any partial ACLs applied to an interface,
and the window where the interface has no ACL applied to it is minimized.
You can edit ACLs with your favorite text editor, even if they're hundreds
of lines long, and then upload them to the router.  It also supports a
"diff" command so you can compare a locally edited ACL to the one on the
router.

  http://sourceforge.net/project/showfiles.php?group_id=25401

You can also do things like this on the command line on your Unix host:

  # copy every ACL on the router into an individual file on the local host
  for acl in $(aclmaker list); do aclmaker get $acl; done

  # run a command on the Cisco and pipe its output to a local shell command
  aclmaker cmd 'show ip route' | wc -l

  # test an ACL for syntax errors before uploading it
  aclmaker test FILENAME

Requires a Unix-ish system with Perl and a few Perl modules.  One of
these days I'll upgrade it to work with RANCID which should make it a
bit easier to use (assuming you've already climbed over RANCID's learning
curve).