[c-nsp] Modifying ACLs on production router

Justin Shore justin at justinshore.com
Sun Oct 5 22:54:16 EDT 2008 

Matlock, Kenneth L wrote:
> I'm not sure about these days, but I got bit before when changing an ACL on a remote device. 
>  
> If you have an access-list on an interface, and that access-list didn't exist then it got interpreted as a 'permit ip any any'. As soon as you add the first line of the ACL, it then becomes a default of 'deny ip any any' after the line you put in. So if you remove an access-list, and put the lines back in, during the timeframe between the first line, and the last, it will affect production traffic. (Or in my case, I was modifying an ACL in the interface 'closest' to me, and when the first line got added it cut off all my management traffic....)
>  
> So from then on, I've always removed the ACL from the interface, removed the ACL, rebuilt it, and re-applied it to the interface. If you have the lines copied into a clipboard, you can paste the stuff in fairly quickly, and not really allow much 'bad' traffic in.

This is what I was going to bring up if no one else said it.  An empty 
ACL does nothing.  But as soon as you create the ACL it appends a deny 
ip any any to the ass end of it.  Now I suppose that it's possible to 
create an IP ACL with line 1 being a permit ip any any and then remove 
line 1 as soon as everything else is added.  That would work.

Personally I remove the ACL from each interface that it's applied to, 
then remove the ACL, re-add the updated ACL and reapply it to all the 
right interfaces.  I keep my major ACLs in text files on my NOC server. 
  I store them in CVS.  In these text files I start off with the config 
needed to remove the ACLs from all the associated interfaces (ready copy 
and paste to eliminate errors).  Then below that is the lines removing 
the ACL (critical step so that you aren't adding crap to the end of the 
old ACL, almost certainly with duplicate lines).  Then comes the ACL 
contents.  I make a significant amount of comments and notes inline with 
the config, all commented out with a "!" so I can copy and paste right 
through the comments without causing any problems.  The files ends with 
the reversal of the first block of config; adding the ACLs back to the 
interfaces.

Were I worried about security and in a situation where I couldn't have 
any interface unsecured for even a few seconds, I'd do what Gert said 
and have a pair of ACLs that I swap between.  In that case when I add 
and ACL, "ftth-in" for example, I'd also add a duplicate of it as 
"temp-ftth-in".  Then when I needed to make a change I'd switch the 
interface to the temp ACL without removing the old access-group lines, 
modify or replace the regular ACL, and then switch back so I always know 
what ACL I have on the interface.  Then replace the temp ACL with a copy 
of the current ACL so it's ready to go the next time.  All scriptable, 
all easily doable.  The biggest thing is keeping track of which 
interfaces have been assigned the ACLs you're modifying.


FEATURE REQUEST
We need a sub-command of 'show ip access-list' that tells us what 
interfaces a given ACL is applied to.  Something simple like

show ip access-list <acl> interfaces

We already have 'sh ip access-list interface <int>' but that requires 
one to increment through all the interfaces.  I just want to know the 
name/number and direction of an ACL.  That's all.  That's what we need 
for easy script processing.

Justin

More information about the cisco-nsp mailing list