Dynamic ACL Reconfiguration for VRF

Unanswered Question
Aug 28th, 2007

Hi

For a remote access solution (we connecting to our customers), we're using a 2821 which handles site to site VPN to various customers, as well PPP Dialup and routing for leased lines.

In order to avoid problems with overlapping IP ranges, we're using a VRF per customer. However, we're restricted in terms of who can connect where since access to a VRF is controlled by an ACL.

here's an example:

route-map VRF-Selection permit 23

match ip address 99 23

set vrf TERT

!

access-list 23 remark *** HOSTS for TERT

access-list 23 permit 195.141.121.159

access-list 99 remark *** NON-Existing IP for all VRF

access-list 99 permit 10.145.255.255

So, with the above configuration, the host 195.141.121.159 can access the VRF provided its routing table is adjusted properly (we have that under control). We have the "virtual" ACL 99 so that if we reconfigure the ACL granting access to the VRF (see below), the route mapping doesn't get lost.

Now, suppose a second host, 195.141.121.160 needs access to the same VRF - we can easily do that by connecting to the router, entering config mode, and add another permission to acl 23:

access-list 23 permit 195.141.121.160 0.0.0.0

So far so good. Where we get into trouble is once that second host should no longer be able to use the VRF Tert. Modifying the ACL 23 will result in the router dropping any and all connections.

For that not to happen, we need to first remove ACL 23 from the route-map VRF-Selection

route-map VRF-Selection permit 23

no match ip address 23

exit

Then completely rewrite ACL 23 from scratch

no access-list 23

access-list 23 remark *** HOSTS for TERT

access-list 23 permit 195.141.121.159

and finally re-enable acl 23 on the vrf

route-map VRF-Selection permit 23

match ip address 23

exit

Now I'm wondering, is there no way to get rid of the entry

access-list 23 permit 195.141.121.160 0.0.0.0

in acl 23 without dropping existing connections (other than those originating from 195.141.121.160)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
mheusing Tue, 08/28/2007 - 07:56

Hi,

this might depend on your IOS. in newer IOS versions internally the ACLs are sequenced named ACLs though your config might still show "access-list 23 ...".

Try a "show ip access-lists standard 23". If this shows sequence numbers you might be lucky. Then ACLs can be edited and single lines can be deleted.

In your case, if your IOS supports it, this should somehow look like:

Router# show access-list

Standard IP access list 23

10 permit 195.141.121.159, wildcard bits 0.0.0.0

20 permit 195.141.121.160, wildcard bits 0.0.0.0

Router(config)#ip access-list standard 23

Router(config-std-nacl)#no 20

For the technical details, supported IOS versions and configuration options f.e. have a look at "IP Access List Entry Sequence Numbering"

http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html

Hope this helps! Please rate all posts.

Regards, Martin

stephan.steiner Tue, 08/28/2007 - 23:24

Thanks for your suggestion. Is there a minimum IOS release that I should look out for (I got locked out yet again so I need to find somebody on location to reboot the router before I can check out what version we have).

Also, deleting specific entries is but half of the problem.. the the other half stems from the fact that as soon as I change anything in the config the router drops all connections and needs a reboot.

I was told by the guy who initially set it all up, that a

route-map VRF-Selection permit 23

no match ip address 23

exit

no access-list 23

then re-creating the acl and re-adding acl to the route map would do the trick... turns out that once the 4th command has been sent, I'm disconnected and the router can never be reached again. Since I'm not changing any ACL that permits access to the router itself, I don't quite understand why this happens and how I can avoid it.

Any ideas on that one?

Mel Popple Tue, 08/28/2007 - 13:15

If the ACL lines aren't numbered would the following work?

route-map VRF-Selection permit 23

match ip address 99 22 23

set vrf TERT

Create the ACL 23 with the entries you need, then when you need to make a change create ACL 22, apply it and then delete ACL 23. On the next change create ACL 23, apply it and then delete ACL 22.

And so on...

stephan.steiner Thu, 08/30/2007 - 01:40

the trick with the ordered ACL worked out fine.

Turns out I was missing a configuration option which prevented me from reconnecting if I deleted a whole ACL.

Actions

This Discussion