From: Matt Wagner (miguknom@xxxxxxxxxxx)
Date: Thu Jul 18 2002 - 01:50:51 GMT-3
Jay is right. That is a real-life screwup that I have been guilty of a
couple of times. My solution is not reload in 15. As a matter of policy my
first line in any access-list to be applied to an interface(assuming that I
am creating it from a valid management workstation) is
acc 100 permit tcp host <my ip address> any eq 23 (or 22)
That has saved my butt on a few late, incoherent evenings.
Matt
----Original Message Follows----
From: Jay Hennigan <jay@west.net>
Reply-To: Jay Hennigan <jay@west.net>
To: Anthony Pace <anthonypace@fastmail.fm>
CC: ccielab@groupstudy.com
Subject: Avoiding suicide, was: ACL fewest numbers of lines
Date: Wed, 17 Jul 2002 17:43:03 -0700 (PDT)
MIME-Version: 1.0
Received: from mc2-f20.law16.hotmail.com ([65.54.237.27]) by
mc2-s9.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Wed, 17 Jul
2002 18:05:04 -0700
Received: from groupstudy.com ([66.220.63.9]) by mc2-f20.law16.hotmail.com
with Microsoft SMTPSVC(5.0.2195.4905); Wed, 17 Jul 2002 18:00:33 -0700
Received: from localhost (mail@localhost)by groupstudy.com (8.9.3/8.9.3)
with SMTP id AAA27357;Thu, 18 Jul 2002 00:59:56 GMT
Received: by groupstudy.com (bulk_mailer v1.13); Thu, 18 Jul 2002 00:43:07
+0000
Received: (from listserver@localhost)by groupstudy.com (8.9.3/8.9.3) id
AAA22341GroupStudy Mailer; Thu, 18 Jul 2002 00:43:07 GMT
Received: from bugs.sb.west.net (bugs.sb.west.net [207.71.234.101]) by
groupstudy.com (8.9.3/8.9.3) with ESMTP id AAA22309 GroupStudy Mailer; Thu,
18 Jul 2002 00:43:04 GMT
Received: by bugs.sb.west.net (Postfix, from userid 500) id 7E3D94D81CD;
Wed, 17 Jul 2002 17:43:03 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by bugs.sb.west.net
(Postfix) with ESMTP id 77FAF4D81CC; Wed, 17 Jul 2002 17:43:03 -0700 (PDT)
In-Reply-To: <20020717234147.D9DAB6DA1D@www.fastmail.fm>
Message-ID: <Pine.LNX.4.44.0207171729420.32509-100000@bugs.sb.west.net>
X-ASK-Info: Whitelist match
Sender: nobody@groupstudy.com
Precedence: bulk
Return-Path: nobody@groupstudy.com
X-OriginalArrivalTime: 18 Jul 2002 01:00:34.0512 (UTC)
FILETIME=[85858500:01C22DF6]
On Wed, 17 Jul 2002, Anthony Pace wrote:
> This is actually a real "gottcha" that bites you more in real life than
> in the practice labs. On a practice lab you can more or less do things
> in any order, but it is not uncommon to make the mistake of applying
> the access list to an interface. So far, so good. Then as soon as you
> create one line, the implicit deny cuts off everyone's access.
> Including your telnet session. Now you have to get to the router, and
> fast, and get a console hooked up.
"reload in" is your friend.
When making remote changes to a router, before configuring enter the
command "reload in 15". Then make your changes. If you manage to lock
yourself out, 15 minutes after you started the router will reboot itself.
Because you were locked out, the change that locked you out won't be
written to memory and you'll come back happy with the old configuration.
Once you've successfully reconfigured without locking yourself out, then
"reload cancel" will kill the scheduled reload and you can write memory.
I've use this trick many times when working with a carrier to change
LMI type or number of channels on a frame-relay circuit. You get telco
on the line, log in to the router, "reload in 15". Then change your
remote interface, effectively locking yourself out until telco changes
their side. If all goes well, you log back in, cancel the reload and
save. If telco can't change their side (or does it to the wrong circuit),
then 15 minutes later you're back where you started without a trip across
town or across the country.
-- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net NetLojix Communications, Inc. - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:35 GMT-3