At 9:39 AM -0700 5/4/05, Paxton wrote:
>Its been quiet for a couple of days! There were a couple of posts early
>on re: acl management. A few things mentioned there:
>
>* CiscoWorks ACL Manager (I heard cisco is dumping that? Anyone know
>anything about this?)
>
>* do-it-yourself-with-tftp (I'm not really sure if there was a more
>specific point here that I missed, but if everything everyone wanted could
>be done by just getting the config via tftp, editting the config, and
>pushing it back, we wouldn't be asking these questions, IMO)
A key problem with this approach is, you don't know if the revised
config is going to load properly. You might have typo'd one of the
lines you added/changed/deleted. You might have added Just One More
Line that pushes you beyond some internal limit of the device. Also,
if you clear and redefine an access-list in place, you may have a
short window of time during which you're unprotected (which might
become a long window of time, if you get interrupted at just the
wrong point). You just don't know...
My usual "as safe as I can make it" approach to managing ACL's on
Ciscos is to use a second access-list as a "temporary":
1) define a _new_ access-list that includes my changes
2) upload and execute the commands creating that new access-list
3) if and only if creating that new access-list succeeded, change
the interface definition to refer to the new list instead of the old
4) if that works, then clean up by:
a) clear/redefine the original list as a copy of the new one
b) switch the interface back to the (updated) original list
c) delete the new list (which was only used temporarily)
So, for example, let's say that I currently had access-list 100
assigned to inbound packets on interface Ethernet0/0, and that there
was no access-list 101 defined yet.
I'd start by clearing and defining access-list 101:
no access-list 101
access-list 101 permit ...
access-list 101 permit ...
access-list 101 deny ip any any
Then, if and only if the commands above (to create access-list 101)
succeeded, I'd do
interface Ethernet0/0
ip access-group 101 in
If that worked, I'd clean up by clearing and redefining access-list
100 to match the new access-list 101, and then switching the
interface back to using the (now updated) access-list 100 and
deleting the (now unused) access-list 101:
no access-list 100
access-list 100 permit ...
access-list 100 permit ...
access-list 100 deny ip any any
interface Ethernet0/0
ip access-group 100 in
no access-list 101
You're left with an updated access-list 100, and with your interface
config just what it was before, without ever having a time where you
were unprotected.
You've got to stop on errors after any command, obviously, and may
need to do some cleanup (probably just "no access-list 101" or "no
access-list 100", depending on where the error occurred).
-Brent
--
Brent Chapman <brent@greatcircle.com> -- Great Circle Associates, Inc.
Specializing in network infrastructure for Silicon Valley since 1989
For info about us and our services, please see http://www.greatcircle.com/
Network Automation blog: http://www.greatcircle.com/blog/network_automation
Follow-Ups:
References:
|
|
