[c-nsp] Modifying ACLs on production router

Matlock, Kenneth L MatlockK at exempla.org
Sun Oct 5 14:37:34 EDT 2008 

I'm not sure about these days, but I got bit before when changing an ACL on a remote device. 
 
If you have an access-list on an interface, and that access-list didn't exist then it got interpreted as a 'permit ip any any'. As soon as you add the first line of the ACL, it then becomes a default of 'deny ip any any' after the line you put in. So if you remove an access-list, and put the lines back in, during the timeframe between the first line, and the last, it will affect production traffic. (Or in my case, I was modifying an ACL in the interface 'closest' to me, and when the first line got added it cut off all my management traffic....)
 
So from then on, I've always removed the ACL from the interface, removed the ACL, rebuilt it, and re-applied it to the interface. If you have the lines copied into a clipboard, you can paste the stuff in fairly quickly, and not really allow much 'bad' traffic in.
 
Ken Matlock
Network Analyst
Exempla Healthcare
matlockk at exempla.org
 

________________________________

From: cisco-nsp-bounces at puck.nether.net on behalf of Gert Doering
Sent: Sun 10/5/2008 10:24 AM
To: Ed Ravin
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Modifying ACLs on production router



Hi,

On Sun, Oct 05, 2008 at 08:21:40AM -0400, Ed Ravin wrote:
> If the router doesn't complain about syntax
> problems, the script then removes the original ACL from any interfaces
> it is applied to and applies the test ACL.  Then the script deletes the
> original ACL and uploads the new ACL with the original name, and then it
> removes the test-xxxx ACL from the interface(s) and applies the original ACL.
>
> This leaves two short windows when the interface has no ACL applied, but

I'm wondering if there is any deeper necessity for removing the old ACL
from the interface?  In the cases that I've changed ACLs on an interface,
I normally just configure the new ACL - and given that Cisco can only
have one IP ACL (per direction) on each interface, this automatically
and atomically removes the old ACL...

But you might have seen more pathological cases, where things fail in
interesting ways - which is why I'm curious.

gert

--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list