[c-nsp] Modifying ACLs on production router

Ziv Leyes zivl at gilat.net
Sun Oct 5 12:54:18 EDT 2008 

Also, in relatively new IOS (last 2-3 years) there's always a possibility to edit an active ACL, I also do it when I need to change/remove/add a line.
When you want to see what an ACL contains you do "sh access-list 99" right? And you get something like

access-list 99 deny x.x.x.x
access-list 99 permit y.y.y.y

Or "sh access-list 100" gives you

access-list 100 deny ip host x.x.x.x any
access-list 100 permit ip host y.y.y.y any

If you use the command "sh ip access-list 99" or "sh ip access-list 100" instead, you'll get something like this:

Standard IP access list 99
        10 deny x.x.x.x
        20 permit y.y.y.y

Extended IP access list 100
        10 deny ip host x.x.x.x any
        20 permit ip host y.y.y.y any


And so on...
Now, if you want to delete a line, all you need is to do this:
conf t
ip access-list standard 99
no 20

or if you want to add something that MUST be logically inserted in between the two existing lines you can begin the line with any number that is between the current lines numbers, e.g.
ip access list extended 100
15 permit ip x.x.x.0 0.0.0.255 any
21 permit udp z.z.z.z 0.0.0.255 any eq 53

This will shield a "on the fly" edited ACL that looks like this:

sh  ip access-list 100

Extended IP access list 100
        10 deny ip host x.x.x.x any
        15 permit ip x.x.x.0 0.0.0.255 any
        20 permit ip host y.y.y.y any
        21 permit udp z.z.z.z 0.0.0.255 eq 53

I hope I've made myself clear enough and that this helps someone.

Ziv



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
Sent: Sunday, October 05, 2008 6:24 PM
To: Ed Ravin
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Modifying ACLs on production router

Hi,

On Sun, Oct 05, 2008 at 08:21:40AM -0400, Ed Ravin wrote:
> If the router doesn't complain about syntax problems, the script then
> removes the original ACL from any interfaces it is applied to and
> applies the test ACL.  Then the script deletes the original ACL and
> uploads the new ACL with the original name, and then it removes the
> test-xxxx ACL from the interface(s) and applies the original ACL.
>
> This leaves two short windows when the interface has no ACL applied,
> but

I'm wondering if there is any deeper necessity for removing the old ACL from the interface?  In the cases that I've changed ACLs on an interface, I normally just configure the new ACL - and given that Cisco can only have one IP ACL (per direction) on each interface, this automatically and atomically removes the old ACL...

But you might have seen more pathological cases, where things fail in interesting ways - which is why I'm curious.

gert

--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de



 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

More information about the cisco-nsp mailing list