SNMP to modify or add ACL

jschweng · ‎09-12-2009

Is it possible to use SNMP from a netmanager to modify or apply an ACL on a cisco 3750G with ios 12.25SEB2?

Joe Clarke · ‎09-12-2009

Not directly, but you can use SNMP plus TFTP or RCP to upload configuration snippets to the device using the CISCO-CONFIG-COPY-MIB. For example, if you want to change access-list 101, you would create a snippet such as:

no access-list 101

access-list 101 permit tcp any any eq 80

access-list 101 permit tcp any any eq 25

access-list 101 permit tcp any any eq 22

access-list 101 deny tcp any any established

end

Then set the necessary objects in the CONFIG-COPY-MIB to force the device to upload this snippet, and merge it with the running config. See this tech tip on how to use the CONFIG-COPY-MIB:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_configuration_example09186a0080094aa6.shtml

jschweng · ‎09-12-2009

ok thanks - so if i updload this file it will delete acl 101 and recreate it. its not really merging with the running config is it ? is there risk to causing other issues with the running config?

Joe Clarke · ‎09-12-2009

No, it does merge with the running config just as it would if you typed the commands out. If you left out the "no access-list" command, the ACEs would simply be appended to the end of the existing ACL. Again, this is the same as if you manually typed these new ACEs.

There is no risk to other portions of the config as the snippet will not overwrite the existing running config.