Managing Access Lists

Unanswered Question

Does anyone know of a way to manipulate ACLs without losing any remarks that are directly above the line that need modification without just completely removing and re-adding the entire ACL?

We have some very large ACLs due to PCI requirements and it is not always feasible to remove and re-add the entire ACL, particularly during business hours. The other end of that problem is that we are also required to maintain the remarks for PCI compliance. Is there any way to no a line and replace that same line without messing up the remarks?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Example section of running-config ACL with remarks:

remark =-=-=-=-= ICMP =-=-=-=-=

remark --> POS Server

permit icmp 10.224.1.16 0.0.254.15 host 10.224.2.2

remark --> STORE02 AD Controllers

permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.14

permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.32

And same with line #:

1360 permit icmp 10.224.1.16 0.0.254.15 host 10.224.2.2 (106 matches)

1370 permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.14 (137216 matches)

1380 permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.32 (258261 matches)

Now say, I need to change line 1370 to explicitly deny icmp.

conf t

!

ip access-list extended Example_ACL

no 1370

1370 deny icmp 10.224.1.16 0.0.254.15 host 10.0.102.14

end

The running-config will now lose the remark "remark --> STORE02 AD Controllers" and look like this.

remark =-=-=-=-= ICMP =-=-=-=-=

remark --> POS Server

permit icmp 10.224.1.16 0.0.254.15 host 10.224.2.2

permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.14

permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.32

Or if say I needed to insert a line above 1370 so that it has the same "remark --> STORE02 AD Controllers"

conf t

!

ip access-list extended Example_ACL

1369 permit icmp 10.224.1.16 0.0.254.15 host 10.1.1.1

end

The ACL will now align like this.

remark =-=-=-=-= ICMP =-=-=-=-=

remark --> POS Server

permit icmp 10.224.1.16 0.0.254.15 host 10.224.2.2

permit icmp 10.224.1.16 0.0.254.15 host 10.1.1.1

remark --> STORE02 AD Controllers

permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.14

permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.32

or if we tried to add it just above line 1360

conf t

!

ip access-list extended Example_ACL

1359 permit icmp 10.224.1.16 0.0.254.15 host 10.1.1.1

end

The ACL will now align like this.

permit icmp 10.224.1.16 0.0.254.15 host 10.1.1.1

remark =-=-=-=-= ICMP =-=-=-=-=

remark --> POS Server

permit icmp 10.224.1.16 0.0.254.15 host 10.224.2.2

remark --> STORE02 AD Controllers

permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.14

permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.32

And if we deleted and re-added a new line 1360, it would look like this:

deny icmp 10.224.1.16 0.0.254.15 host 10.224.2.2

remark --> STORE02 AD Controllers

permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.14

permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.32

Every remark is tied the the line item directly following and any modifications to these lines affect how the remarks align.

And once a remark is deleted, or if you need to add a new remark you cannot insert them into a specific line.

You have to delete the entire ACL and re-add it as desired, which for small ACLs is not a big deal, but I have one ACL in particular that takes ~12 min to apply remotely.

And I have many identical remote sites with ACLs like these and if I need to make a small change to all sites it is quite challenging, as I do not trust our config management tool not to choke and timeout while applying such long ACLs.

As far as I have seen this is true of just about any IOS that allows for inline ACL comments.

Thanks!

Lucien Avramov Wed, 09/16/2009 - 18:48

Here are my thoughts on this: the remark is not indexed, unlike the access-list line. When you remove a line of the access-list it removes automatically the remark, but when you add one line, you cant just add a specific remark, you need to go through all of it.

You could contact sales or TAC and request an enhancement, that is something the IOS team will need to evaluate.

We had a product that is now end of life, aclm: access control list manager where you were able to have remarks and modify the ACLs on routers.

I dont know about what products can now be used. Typically the software will store the ACLs with the proper order and then you deploy it. I understand it's not the direction you want to take.

HTH

Actions

This Discussion