Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
678
Views
26
Helpful
4
Replies

Proper way to manipulate ACL's

Kevin Melton
Level 2
Level 2

‎05-07-2007 10:27 AM - edited ‎03-05-2019 03:55 PM

Hello all

This is basically a general knowledge question. I have been working for some time now with ACL's on both routers and on PIX's.

My question is as follows, and it is a little bit old school. I was taught years ago that this was fundamentally the proper course of events to perform when making a change to an existing ACL applied to an interface (this would be on the routers).

Step.1 - We must take the ACL which is applied to the interface...ex. config-if# no acess-group 123 in

Step. - The ACL is then copied out of the config onto Notepad and saved.

Step. 3. The ACL is deleted off of the box.

Step. 4- Changes are made to the ACL on Notepad.

Step 5.- The new ACL is then copied and pasted back to the box in global config

Step. 6 - The new ACL is re-applied to the interface.

I have always followed this methodology when working with ACL's .. this prevents paranoia of taking down a network.

Can someone verify that this is the proper course of action. I came across a young CCIE the other day whom was certain that you did not have to do any of that to implement changes to an ACL while it is applied.

I simply want to know what is correct so I can do the correct action.

Thanks

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎05-07-2007 10:41 AM

Hi

There is a chance he was talking about an extended access-list where each line is numbered which means you can insert lines into the access-list without having to remove it and re-paste it in.

HTH

Jon

mohammedmahmoud
Level 11
Level 11
In response to Jon Marshall

‎05-07-2007 12:30 PM

Hi,

Your steps are perfect, but as Jon has stated earlier most probably your mate was talking about named ACL which contains number for each entry, such that you can delete a certain entry or insert a certain entry between 2 other entries without needing to remove the ACL and reconfigure it.

Users can apply sequence numbers to permit or deny statements and also reorder, add, or remove such statements from a named IP access list. This feature makes revising IP access lists much easier. Prior to this feature, users could add access list entries to the end of an access list only; therefore needing to add statements anywhere except the end required reconfiguring the access list entirely.

example:

Router# show access-list 150

Extended IP access list 150

10 permit ip host 10.3.3.3 host 172.16.5.34

20 permit icmp any any

30 permit tcp any host 10.3.3.3

40 permit ip host 10.4.4.4 any

50 Dynamic test permit ip any any

60 permit ip host 172.16.2.2 host 10.3.3.12

70 permit ip host 10.3.3.3 any log

80 permit tcp host 10.3.3.3 host 10.1.2.2

90 permit ip host 10.3.3.3 any

100 permit ip any any

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008043105e.html

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

glen.grant
VIP Alumni
VIP Alumni
In response to mohammedmahmoud

‎05-07-2007 03:09 PM

All acl's under newer code are really named acl's and you can make changes to them on the fly by going into acl config mode , when in this mode you can make any changes you want to the running acl and even reorder entries if you want to . Believe the named and acl config mode became prevalent with like 12.2T train software. Named came in before that but the numbereing scheme came out with 12.2T I believe.

Richard Burts
Hall of Fame
Hall of Fame
In response to glen.grant

‎05-07-2007 06:09 PM

Kevin

The responses talking about manipulating named access lists give good advice. But I believe that your question really asks about best practices and I would like to suggest my approach as being a slightly different best practice:

- copy the existing access list to notepad.

- change the access list identifier to create a different access list (works both for numbered and named access lists).

- make changes in notepad in the access list logic (add lines, or delete lines, or move lines, or whatever you need).

- paste from notepad to create a new access list.

- change the ip access-group on the interface to reference the new access list.

- after everything is tested out and stable, delete the old access list.

I believe that there are several advantages in this approach:

- if your new access list has a logic mistake (OOPS I did not really mean to have deny ip any any as the first line in the access list) it is easy to go back to the old/working version of the access list.

- there is never any time when the interface is not protected by an access list (if you remove the access list from the interface, delete the list, make changes, and re-create the list, and assign the access list to the interface then there is some period of time when the interface has no access list.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card