[c-nsp] Applying ACL
Kevin Graham
mahargk at gmail.com
Wed May 30 16:33:21 EDT 2007
On 5/30/07, Leonardo Souza <leonardo.gama at gmx.net> wrote:
> I have some ACL and Receive ACL applied on my routers.
> I'd like to know if it's secure update them doing:
If you're running a release that supports sequenced access-lists, you
can make incremental updates in-place with:
router#sh ip access-lists 199
Extended IP access list 199
10 deny tcp any eq telnet any
20 permit ip any any
router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#ip access-list extended 199
router(config-ext-nacl)#5 permit tcp host 172.1.1.1 eq 23 any
router(config-ext-nacl)#do sh ip access-list 199
Extended IP access list 199
5 permit tcp host 172.1.1.1 eq telnet any
10 deny tcp any eq telnet any
20 permit ip any any
router(config-ext-nacl)#no 10
router(config-ext-nacl)#do sh ip access-list 199
Extended IP access list 199
5 permit tcp host 172.1.1.1 eq telnet any
20 permit ip any any
router(config-ext-nacl)#5 permit tcp host 172.1.1.1 eq 23 any
router(config-ext-nacl)#do sh ip access-list 199
Extended IP access list 199
5 permit tcp host 172.1.1.1 eq telnet any
10 deny tcp any eq telnet any
20 permit ip any any
router(config-ext-nacl)#no 10
router(config-ext-nacl)#do sh ip access-list 199
Extended IP access list 199
5 permit tcp host 172.1.1.1 eq telnet any
20 permit ip any any
router(config-ext-nacl)#
If you are wiping them out, you should always remove them to be safe
(even if weren't default-deny behavior when missing, there is an
unavoidable window between creation and completion).
More information about the cisco-nsp
mailing list