Firewall Wizards mailing list archives

RE: Cisco acls

From: "Mathew Want" <mathew.want () ac3 com au>
Date: Wed, 2 Mar 2005 09:04:47 +1100

Eric,

In short, Yes. What's worse is that if there is an error in the new ACL that
you paste in then you wind up with only half the ACL in effect until you
either paste back the original list or debug the one you are trying to
apply. I used to have this concern myself when I had a large ACL on my
border routers until I was shown a way to avoid this. It looks a little long
winded but it works a treat for me. Please note that some of the steps
listed are for completeness.

1. Save the Config
2. Take a copy of the config and paste into notepad (or editor of
preference).
3. Isolate the ACL (access-list 177 from your example) and change the number
to an unused ACL number (lets assume 178) so now 177 and 178 are identical
rules.
4. Apply 178 to the router and watch for errors. If no errors go to the
interface(s) that 177 is applied to and change the access-group from 177 to
178. This should leave no time gap in the ACL (or at least a much much
smaller one).
5. In the notepad version of 177, add, remove or re-order the ACL lines you
need to.
6. On the router remove ACL 177 and apply the new 177. Watch for errors.
7. Change the access-group on the interface back to 177.
8. Remove ACL 178 from the router (for cleanliness)
9. Save the Config.

If you are not concerned with keeping the ACL number the same you can make
your edits to the 178 ACL and save a few steps (and maybe use the ACL number
as a revision number) but I always liked keeping the ACL number the same to
avoid collissions and confusion.

Hope this helps,
--
Regards,
Mathew Want
ac3
Network and Security Engineer
Phone:      +61 2 9209 4600
Email:      mathew.want () ac3 com au 
URL:        http://www.ac3.com.au

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Eric
Appelboom
Sent: Wednesday, 2 March 2005 2:53 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Cisco acls


Hi,

I would appreciate some comments with regard to the extensive use of
cisco routers acls
To protect numerous networks.

My concern is that when someone amends an access-list one generally
enters, no access-list 177 and
Then pastes in the new access list. Does this mean that for a period of
time there is no protection on the
Network that the acls applies?

Best Regards
Eric
MWEB: S.A.'s trusted Internet Service Provider. Just Like that. 
To join, click here or call 08600 32000. 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Cisco acls Eric Appelboom (Mar 01)
- Re: Cisco acls Daniel Linder (Mar 04)
- RE: Cisco acls Bruce Smith (Mar 04)
  - RE: Cisco acls Mark Teicher (Mar 12)
    - Re: Cisco acls Kevin (Mar 24)
- Re: Cisco acls Steve Saeedi (Mar 04)
  - Re: Cisco acls Luca Berra (Mar 07)
- RE: Cisco acls Mathew Want (Mar 04)
- RE: Cisco acls Ben Nagy (Mar 04)
- Re: Cisco acls Stephane (Mar 04)
- Re: Cisco acls Miha Vitorovic (Mar 24)
- <Possible follow-ups>
- RE: Cisco acls Behm, Jeffrey L. (Mar 04)
- RE: Cisco acls Matthew.Harvey () usdoj gov (Mar 04)
- RE: Cisco acls Paul Melson (Mar 04)
  - Re: Cisco acls Luca Berra (Mar 07)
- RE: Cisco acls Luke Butcher (Mar 06)
- RE: Cisco acls Luke Butcher (Mar 07)
  - RE: Cisco acls Andrew Yourtchenko (Mar 12)

(Thread continues...)