Does anyone know of a way to manipulate ACLs without losing any remarks that are directly above the line that need modification without just completely removing and re-adding the entire ACL?
We have some very large ACLs due to PCI requirements and it is not always feasible to remove and re-add the entire ACL, particularly during business hours. The other end of that problem is that we are also required to maintain the remarks for PCI compliance. Is there any way to no a line and replace that same line without messing up the remarks?
Every remark is tied the the line item directly following and any modifications to these lines affect how the remarks align.
And once a remark is deleted, or if you need to add a new remark you cannot insert them into a specific line.
You have to delete the entire ACL and re-add it as desired, which for small ACLs is not a big deal, but I have one ACL in particular that takes ~12 min to apply remotely.
And I have many identical remote sites with ACLs like these and if I need to make a small change to all sites it is quite challenging, as I do not trust our config management tool not to choke and timeout while applying such long ACLs.
As far as I have seen this is true of just about any IOS that allows for inline ACL comments.
Here are my thoughts on this: the remark is not indexed, unlike the access-list line. When you remove a line of the access-list it removes automatically the remark, but when you add one line, you cant just add a specific remark, you need to go through all of it.
You could contact sales or TAC and request an enhancement, that is something the IOS team will need to evaluate.
We had a product that is now end of life, aclm: access control list manager where you were able to have remarks and modify the ACLs on routers.
I dont know about what products can now be used. Typically the software will store the ACLs with the proper order and then you deploy it. I understand it's not the direction you want to take.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...