[c-nsp] Modifying ACLs on production router

Steven Mark steven_mark_99 at yahoo.com
Sun Oct 5 16:45:33 EDT 2008 

Folks,

Thanks  very useful information. I like the 'aclmaker' script... intend to use this extensively! Very cool!

>From responses, I see 2 main issues I see with Cisco ACL implementation:

1. Loosing connection on the interface you are working on

If one connects to the router using management console (port on MSFC), then this problem would not be there. Isnt it?

2. Erratic behavior when ACLs are being updated 

I wonder if IOS can start supporting 'config commit' process (as I suppose JUNOS does), then applying ACLs on interfaces will become a much easier task. As I understand, in JUNOS if you have to modify/change an ACL, you go to the CLI, make necessary changes and then just commit. Since JUNOS does make-before-break, in the ASIC, new ACL is installed first and in just one quick swoop, the ACL pointer (if you will) is moved to the newly installed ACL. Not sure what folks think...

Nonetheless, really appreciate folks sharing useful info (incl. Telconi terminal). Will give that a shot as well.

Cheers,
Steve





--- On Sun, 10/5/08, Ed Ravin <eravin at panix.com> wrote:

> From: Ed Ravin <eravin at panix.com>
> Subject: Re: [c-nsp] Modifying ACLs on production router
> To: "Matlock, Kenneth L" <MatlockK at exempla.org>
> Cc: cisco-nsp at puck.nether.net
> Date: Sunday, October 5, 2008, 12:03 PM
> On Sun, Oct 05, 2008 at 12:37:34PM -0600, Matlock, Kenneth L
> wrote:
> > If you have an access-list on an interface, and that
> access-list
> > didn't exist then it got interpreted as a
> 'permit ip any any'. As
> > soon as you add the first line of the ACL, it then
> becomes a default
> > of 'deny ip any any' after the line you put
> in. So if you remove
> > an access-list, and put the lines back in, during the
> timeframe
> > between the first line, and the last, it will affect
> production
> > traffic. (Or in my case, I was modifying an ACL in the
> interface
> > 'closest' to me, and when the first line got
> added it cut off all
> > my management traffic....)
> 
> Yes, the aclmaker script was written with those scenarios
> in mind and
> is very careful to not let that happen when it updates
> ACLs.
> 
> > So from then on, I've always removed the ACL from
> the interface,
> > removed the ACL, rebuilt it, and re-applied it to the
> interface.
> > If you have the lines copied into a clipboard, you can
> paste the
> > stuff in fairly quickly, and not really allow much
> 'bad' traffic
> > in.
> 
> The limitations of cut-and-paste were what provoked me to
> write aclmaker.
> I had an ACL that kept getting longer and longer - after it
> got to 150
> lines I realized there had to be a better way.
> 
> Another better way, especially if you prefer
> point-and-click stuff, is
> Telconi Terminal - see http://www.telconi.com/ .  They
> provide a GUI or
> "craft terminal" interface to Cisco routers. 
> According to the docs, the
> most recent versions do some smart synchronization with
> access lists - I
> recall emailing them about one of the beta versions
> suggesting they copy
> aclmaker's strategies.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list