Solved: Updating ACL's on 6513's using config file

npereira · ‎07-03-2007

Hi all,

What is the simplest way to make updates to ACL's using the config file so that I download it, make changes and upload simply the changes to the ACL's? Is there a specific procedure to make the upload delete the lines changed first, then upload the new lines?

please advise.

JORGE RODRIGUEZ · ‎07-03-2007

what I mean by copying and pasting:

login to the router or switch that has the ACL you want to work with.

issue at the CLI:

show run

note the ACL in question, highligh the whole acl text then copy it and paste it to notepad. Remove the line you want and add the new line. Then login back to the router, configuration mode.

You then delete the corrent running ACL

and past the new one.

Exmaple:

This is an extended access list from a router that has been retreaved and copy into a notepad from windows.

access-list 182 permit tcp 10.3.8.0 0.0.0.255 any eq telnet

access-list 182 permit tcp 10.3.9.0 0.0.0.255 any eq telnet

access-list 182 permit tcp 10.2.2.0 0.0.0.255 any eq telnet

access-list 182 permit tcp 192.168.13.0 0.0.0.255 any eq telnet

access-list 182 permit tcp host 10.3.4.244 any eq telnet

access-list 182 permit tcp host 10.3.4.245 any eq telnet

access-list 182 deny ip any any log

you can remove and add the new line, then you log back into the router and paste the new ACL. In this example I removed 10.3.4.244 and 10.3.4.245

this was pasted in the router with an updated ACL. meaning you highligh the text from notepad and paste the whole thing in the router.

no ip access-list 182

ip access-list extended 182

access-list 182 permit tcp 10.3.8.0 0.0.0.255 any eq telnet

access-list 182 permit tcp 10.3.9.0 0.0.0.255 any eq telnet

access-list 182 permit tcp 10.2.2.0 0.0.0.255 any eq telnet

access-list 182 permit tcp 192.168.13.0 0.0.0.255 any eq telnet

access-list 182 deny ip any any log

HTH

Jorge

Jorge Rodriguez

View solution in original post

JORGE RODRIGUEZ · ‎07-03-2007

In my opinion and practice , it is easier to copy current acl , work on it in a notepad, make the changes needed and paste the new acl in your switch or router. Whether there is a utility out there that would automate this process , perhaps someone out there could comment.

HTH

Jorge

Jorge Rodriguez

npereira · ‎07-03-2007

This is exactly what I need, but what do you mean by pasting? Just take the acl porting of the config, update it and reload it vis copy tftp run?

JORGE RODRIGUEZ · ‎07-03-2007

what I mean by copying and pasting:

login to the router or switch that has the ACL you want to work with.

issue at the CLI:

show run

note the ACL in question, highligh the whole acl text then copy it and paste it to notepad. Remove the line you want and add the new line. Then login back to the router, configuration mode.

You then delete the corrent running ACL

and past the new one.

Exmaple:

This is an extended access list from a router that has been retreaved and copy into a notepad from windows.

access-list 182 permit tcp 10.3.8.0 0.0.0.255 any eq telnet

access-list 182 permit tcp 10.3.9.0 0.0.0.255 any eq telnet

access-list 182 permit tcp 10.2.2.0 0.0.0.255 any eq telnet

access-list 182 permit tcp 192.168.13.0 0.0.0.255 any eq telnet

access-list 182 permit tcp host 10.3.4.244 any eq telnet

access-list 182 permit tcp host 10.3.4.245 any eq telnet

access-list 182 deny ip any any log

you can remove and add the new line, then you log back into the router and paste the new ACL. In this example I removed 10.3.4.244 and 10.3.4.245

this was pasted in the router with an updated ACL. meaning you highligh the text from notepad and paste the whole thing in the router.

no ip access-list 182

ip access-list extended 182

access-list 182 permit tcp 10.3.8.0 0.0.0.255 any eq telnet

access-list 182 permit tcp 10.3.9.0 0.0.0.255 any eq telnet

access-list 182 permit tcp 10.2.2.0 0.0.0.255 any eq telnet

access-list 182 permit tcp 192.168.13.0 0.0.0.255 any eq telnet

access-list 182 deny ip any any log

HTH

Jorge

Jorge Rodriguez

npereira · ‎07-03-2007

i thought there was another way to do this by using the config file itself, making changes, and re-uploading the config with a special line at the begining of the NEW config file that basicaly tells the switch to discard the current config and replace with this uploaded one.

JORGE RODRIGUEZ · ‎07-03-2007

For a router or a switch I have not seen such.

What you are looking for can only be done on CIsco PIXs and ASA platforms which has GUI interfaces that allows you to make changes in a GUI manner and have the device push the chnages with a click of a mouse.

Jorge Rodriguez

JORGE RODRIGUEZ · ‎07-03-2007

Post your question under Network Management forum here, Cisco systems has a network management software called CiscoWorks, I just don't know if this software can do what you are looking , I know this software can inport systems configurations, whether you can make ACL chnages and export then to devices I don't know.

Jorge Rodriguez

srue · ‎07-03-2007

I think SNMP can change ACL's the way the OP wants to, but I do it the way someone else here suggested.

1. copy the ACL to your fav text editor (textpad for me)

2. remove the ACL from the interface

3. delete the ACL

4. edit the acl in your text editor

5. re-add ACL

6. re-apply ACL back to your interface

I keep 'templates' where all i have to do is paste the existing ACL in and edit it, and then copy/paste it all into the device.

be careful when you copy/paste in bulk if you are using a DOS window or hyperterm. Either make sure yo'uve configured hyperterm with a large buffer, or use another term. emulator.

JORGE RODRIGUEZ · ‎07-03-2007

SNMP, good point !

Jorge Rodriguez

David Stanford · ‎07-03-2007

To edit the ACL configurations via snmp, you would want to use the CISCO-CONFIG-COPY-MIB. Here's an example:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094aa6.shtml

Also, as mentioned above, CiscoWorks LMS does have config editing tools built into RME that can assist with this.