[f-nsp] editing accesslists w/o causing interrupts
George Bonser
george at shorelink.com
Fri Mar 5 15:37:17 EST 2004
Yes. What you do is keep a copy of the ACL on a TFTP server someplace.
Here is a short example:
#head access-list-101.txt
no access-list 101
access-list 101 remark UPLINK-1
access-list 101 remark BOGONs first
access-list 101 deny ip 0.0.0.0/7 any
access-list 101 deny ip 2.0.0.0/8 any
access-list 101 deny ip 5.0.0.0/8 any
access-list 101 deny ip 7.0.0.0/8 any
access-list 101 deny ip 23.0.0.0/8 any
access-list 101 deny ip 27.0.0.0/8 any
access-list 101 deny ip 31.0.0.0/8 any
What you do then is copy it by tftp to the running config. As a matter of
fact, the ONLY thing you can copy to the running config are ACLS.
Something like:
copy tftp run <address-of-tftp-server> <filename-of-acl>
Then in config mode
ip rebind-acl <access-list>
to rebind the now modified acl if auto-rebind isnt set.
On Fri, 5 Mar 2004, Michael Renner wrote:
> Hi!
>
> Is it possible to edit accesslists without having to move the
> "permit/deny any" entries "down" in the access-list manually (e.g. if
> you've added new entries)? If you move the permit/deny any entries by
> hand you could cause short disruptions in service (between the e.g. "no
> access 20 permit any" "access 20 permit any" commands). A workaround
> would be to temporarily remove the access-list from the given service,
> but when you use it in multiple spots in the config, this can be quite
> cumbersome.
>
> Any ideas?
>
> --
>
> best regards,
> Michael Renner
>
> Preisvergleich Internet Services AG
> Franzensbrückenstraße 8/2/16, A-1020 Wien
> Tel: +43 1 5811609 56
> Fax: +43 1 5811609 55
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
More information about the foundry-nsp
mailing list