09-16-2009 09:26 AM
Does anyone know of a way to manipulate ACLs without losing any remarks that are directly above the line that need modification without just completely removing and re-adding the entire ACL?
We have some very large ACLs due to PCI requirements and it is not always feasible to remove and re-add the entire ACL, particularly during business hours. The other end of that problem is that we are also required to maintain the remarks for PCI compliance. Is there any way to no a line and replace that same line without messing up the remarks?
09-16-2009 09:33 AM
Can you paste an example / portion of your ACL?
09-16-2009 10:12 AM
Example section of running-config ACL with remarks:
remark =-=-=-=-= ICMP =-=-=-=-=
remark --> POS Server
permit icmp 10.224.1.16 0.0.254.15 host 10.224.2.2
remark --> STORE02 AD Controllers
permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.14
permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.32
And same with line #:
1360 permit icmp 10.224.1.16 0.0.254.15 host 10.224.2.2 (106 matches)
1370 permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.14 (137216 matches)
1380 permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.32 (258261 matches)
Now say, I need to change line 1370 to explicitly deny icmp.
conf t
!
ip access-list extended Example_ACL
no 1370
1370 deny icmp 10.224.1.16 0.0.254.15 host 10.0.102.14
end
The running-config will now lose the remark "remark --> STORE02 AD Controllers" and look like this.
remark =-=-=-=-= ICMP =-=-=-=-=
remark --> POS Server
permit icmp 10.224.1.16 0.0.254.15 host 10.224.2.2
permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.14
permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.32
Or if say I needed to insert a line above 1370 so that it has the same "remark --> STORE02 AD Controllers"
conf t
!
ip access-list extended Example_ACL
1369 permit icmp 10.224.1.16 0.0.254.15 host 10.1.1.1
end
The ACL will now align like this.
remark =-=-=-=-= ICMP =-=-=-=-=
remark --> POS Server
permit icmp 10.224.1.16 0.0.254.15 host 10.224.2.2
permit icmp 10.224.1.16 0.0.254.15 host 10.1.1.1
remark --> STORE02 AD Controllers
permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.14
permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.32
or if we tried to add it just above line 1360
conf t
!
ip access-list extended Example_ACL
1359 permit icmp 10.224.1.16 0.0.254.15 host 10.1.1.1
end
The ACL will now align like this.
permit icmp 10.224.1.16 0.0.254.15 host 10.1.1.1
remark =-=-=-=-= ICMP =-=-=-=-=
remark --> POS Server
permit icmp 10.224.1.16 0.0.254.15 host 10.224.2.2
remark --> STORE02 AD Controllers
permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.14
permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.32
And if we deleted and re-added a new line 1360, it would look like this:
deny icmp 10.224.1.16 0.0.254.15 host 10.224.2.2
remark --> STORE02 AD Controllers
permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.14
permit icmp 10.224.1.16 0.0.254.15 host 10.0.102.32
Every remark is tied the the line item directly following and any modifications to these lines affect how the remarks align.
And once a remark is deleted, or if you need to add a new remark you cannot insert them into a specific line.
You have to delete the entire ACL and re-add it as desired, which for small ACLs is not a big deal, but I have one ACL in particular that takes ~12 min to apply remotely.
And I have many identical remote sites with ACLs like these and if I need to make a small change to all sites it is quite challenging, as I do not trust our config management tool not to choke and timeout while applying such long ACLs.
As far as I have seen this is true of just about any IOS that allows for inline ACL comments.
Thanks!
09-16-2009 06:48 PM
Here are my thoughts on this: the remark is not indexed, unlike the access-list line. When you remove a line of the access-list it removes automatically the remark, but when you add one line, you cant just add a specific remark, you need to go through all of it.
You could contact sales or TAC and request an enhancement, that is something the IOS team will need to evaluate.
We had a product that is now end of life, aclm: access control list manager where you were able to have remarks and modify the ACLs on routers.
I dont know about what products can now be used. Typically the software will store the ACLs with the proper order and then you deploy it. I understand it's not the direction you want to take.
HTH
09-17-2009 04:56 AM
I thought this was the case, but thought I'd ask if anyone knew of a work-around. Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide