07-18-2007 01:50 AM
Hi,
This is the second time I post for that kind of issue:
the baseline template is really powerful for massive change but limited with acl.
I mean ACL is really the kind of things which is helpful to modify in mass but as soon as we just add acd line code it's okay (if it has not deny at the end) but it is not good for remove and any acl change
to illustrate what I'm saying:
I did a Template to change access-list on more than 3000 devices. So it is important to me to leave RME do the job for me
so I prepare my template:
- access-list 1 permit 192.168.3.12
- access-list 1 permit 192.168.3.17
+ access-list 1 permit 192.168.52.128 0.0.0.127
yes I want to remove 2 hosts:
- 192.168.3.12 & 17
and add a global subnet
- 192.168.52.128
so that is before the deployment the config on the test devices:
access-list 1 permit 10.10.10.40
access-list 1 permit 192.168.3.12
access-list 1 permit 192.168.3.17
access-list 1 permit 192.168.1.15
access-list 1 permit 192.168.1.128 0.0.0.127
while the deployment the RME telnet and run =>
swi-test(config)#
no access-list 1 permit 192.168.3.12
swi-test(config)#
no access-list 1 permit 192.168.3.17
swi-test(config)#
access-list 1 permit 192.168.52.128 0.0.0.127
so it ends with success but all the issue is as soon as you make a no acl #, all the acl is removed so it makes no sense for me to have a tool which can be granular in the possibilities but give you a result so far as you can expect !
so the result is on the device config:
only that
access-list 1 permit 192.168.52.128 0.0.0.127
so we are far from my wish that was to have the 2 line removed and the subnet added:
access-list 1 permit 10.10.10.40
access-list 1 permit 192.168.1.15
access-list 1 permit 192.168.1.128 0.0.0.127
access-list 1 permit 192.168.52.128 0.0.0.127
can anybody has already experienced something like that and know the solution to avoid that kind of result ?
thanks a lot
Matt
07-18-2007 07:37 AM
Baseline templates are not really ideal for ACL management. There are features in the Cisco Security Management Suite that are geared more towards what you want to do.
If you want to use RME for this, you're probably better off creating a Netconfig template to do this. The Netconfig template would essentially do:
no access-list 1
access-list 1 permit 10.10.10.40
access-list 1 permit 192.168.1.15
access-list 1 permit 192.168.1.128 0.0.0.127
access-list 1 permit 192.168.52.128 0.0.0.127
The bad news is, this flow can leave you vulnerable for a short amount of time.
Once you have the Netconfig template, you can also create a baseline template to check compliance across all your devices. The baseline template would contain every ACE in your ACL beginning with a '+'. And ideally, you would also check the box to enable the ordered feature of the template to ensure each ACE is in the correct order.
07-19-2007 02:04 AM
yep,
that is not realy good in fact.
Here is what I will do, I will use the NetConfig to change the access-list.
the only way to not destroy the access list is to access them via the conf t
and ip access-list Standard (or Extend) 1
after that you are able to change without kill the access-list
so I will let you know the result
thanks fo help, I would like to be sure that it was not me who forget something
Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide