Firewall Wizards mailing list archives
RE: Cisco acls
From: "Mathew Want" <mathew.want () ac3 com au>
Date: Wed, 2 Mar 2005 09:04:47 +1100
Eric, In short, Yes. What's worse is that if there is an error in the new ACL that you paste in then you wind up with only half the ACL in effect until you either paste back the original list or debug the one you are trying to apply. I used to have this concern myself when I had a large ACL on my border routers until I was shown a way to avoid this. It looks a little long winded but it works a treat for me. Please note that some of the steps listed are for completeness. 1. Save the Config 2. Take a copy of the config and paste into notepad (or editor of preference). 3. Isolate the ACL (access-list 177 from your example) and change the number to an unused ACL number (lets assume 178) so now 177 and 178 are identical rules. 4. Apply 178 to the router and watch for errors. If no errors go to the interface(s) that 177 is applied to and change the access-group from 177 to 178. This should leave no time gap in the ACL (or at least a much much smaller one). 5. In the notepad version of 177, add, remove or re-order the ACL lines you need to. 6. On the router remove ACL 177 and apply the new 177. Watch for errors. 7. Change the access-group on the interface back to 177. 8. Remove ACL 178 from the router (for cleanliness) 9. Save the Config. If you are not concerned with keeping the ACL number the same you can make your edits to the 178 ACL and save a few steps (and maybe use the ACL number as a revision number) but I always liked keeping the ACL number the same to avoid collissions and confusion. Hope this helps, -- Regards, Mathew Want ac3 Network and Security Engineer Phone: +61 2 9209 4600 Email: mathew.want () ac3 com au URL: http://www.ac3.com.au -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Eric Appelboom Sent: Wednesday, 2 March 2005 2:53 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Cisco acls Hi, I would appreciate some comments with regard to the extensive use of cisco routers acls To protect numerous networks. My concern is that when someone amends an access-list one generally enters, no access-list 177 and Then pastes in the new access list. Does this mean that for a period of time there is no protection on the Network that the acls applies? Best Regards Eric MWEB: S.A.'s trusted Internet Service Provider. Just Like that. To join, click here or call 08600 32000. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco acls Eric Appelboom (Mar 01)
- Re: Cisco acls Daniel Linder (Mar 04)
- RE: Cisco acls Bruce Smith (Mar 04)
- RE: Cisco acls Mark Teicher (Mar 12)
- Re: Cisco acls Kevin (Mar 24)
- RE: Cisco acls Mark Teicher (Mar 12)
- Re: Cisco acls Steve Saeedi (Mar 04)
- Re: Cisco acls Luca Berra (Mar 07)
- RE: Cisco acls Mathew Want (Mar 04)
- RE: Cisco acls Ben Nagy (Mar 04)
- Re: Cisco acls Stephane (Mar 04)
- Re: Cisco acls Miha Vitorovic (Mar 24)
- <Possible follow-ups>
- RE: Cisco acls Behm, Jeffrey L. (Mar 04)
- RE: Cisco acls Matthew.Harvey () usdoj gov (Mar 04)
- RE: Cisco acls Paul Melson (Mar 04)
- Re: Cisco acls Luca Berra (Mar 07)
- RE: Cisco acls Luke Butcher (Mar 06)
- RE: Cisco acls Luke Butcher (Mar 07)
- RE: Cisco acls Andrew Yourtchenko (Mar 12)
(Thread continues...)