LMS 2.6 RME 4.0.5 Baseline Template + access list change trouble

subrin_matt · ‎07-18-2007

Hi,

This is the second time I post for that kind of issue:

the baseline template is really powerful for massive change but limited with acl.

I mean ACL is really the kind of things which is helpful to modify in mass but as soon as we just add acd line code it's okay (if it has not deny at the end) but it is not good for remove and any acl change

to illustrate what I'm saying:

I did a Template to change access-list on more than 3000 devices. So it is important to me to leave RME do the job for me

so I prepare my template:

- access-list 1 permit 192.168.3.12

- access-list 1 permit 192.168.3.17

+ access-list 1 permit 192.168.52.128 0.0.0.127

yes I want to remove 2 hosts:

- 192.168.3.12 & 17

and add a global subnet

- 192.168.52.128

so that is before the deployment the config on the test devices:

access-list 1 permit 10.10.10.40

access-list 1 permit 192.168.3.12

access-list 1 permit 192.168.3.17

access-list 1 permit 192.168.1.15

access-list 1 permit 192.168.1.128 0.0.0.127

while the deployment the RME telnet and run =>

swi-test(config)#

no access-list 1 permit 192.168.3.12

swi-test(config)#

no access-list 1 permit 192.168.3.17

swi-test(config)#

access-list 1 permit 192.168.52.128 0.0.0.127

so it ends with success but all the issue is as soon as you make a no acl #, all the acl is removed so it makes no sense for me to have a tool which can be granular in the possibilities but give you a result so far as you can expect !

so the result is on the device config:

only that

access-list 1 permit 192.168.52.128 0.0.0.127

so we are far from my wish that was to have the 2 line removed and the subnet added:

access-list 1 permit 10.10.10.40

access-list 1 permit 192.168.1.15

access-list 1 permit 192.168.1.128 0.0.0.127

access-list 1 permit 192.168.52.128 0.0.0.127

can anybody has already experienced something like that and know the solution to avoid that kind of result ?

thanks a lot

Matt

Joe Clarke · ‎07-18-2007

Baseline templates are not really ideal for ACL management. There are features in the Cisco Security Management Suite that are geared more towards what you want to do.

If you want to use RME for this, you're probably better off creating a Netconfig template to do this. The Netconfig template would essentially do:

no access-list 1

access-list 1 permit 10.10.10.40

access-list 1 permit 192.168.1.15

access-list 1 permit 192.168.1.128 0.0.0.127

access-list 1 permit 192.168.52.128 0.0.0.127

The bad news is, this flow can leave you vulnerable for a short amount of time.

Once you have the Netconfig template, you can also create a baseline template to check compliance across all your devices. The baseline template would contain every ACE in your ACL beginning with a '+'. And ideally, you would also check the box to enable the ordered feature of the template to ensure each ACE is in the correct order.

subrin_matt · ‎07-19-2007

yep,

that is not realy good in fact.

Here is what I will do, I will use the NetConfig to change the access-list.

the only way to not destroy the access list is to access them via the conf t

and ip access-list Standard (or Extend) 1

after that you are able to change without kill the access-list

so I will let you know the result

thanks fo help, I would like to be sure that it was not me who forget something

Matt