New IOS Feature Request

From: Manny Gonzalez (gonzalu@nyp.org)
Date: Wed Sep 04 2002 - 02:56:58 GMT-3


Because of issues with a constantly updated ACL on a router and my humongous fat
fingers, I am recommending/asking/suggesting a new feature in IOS:

Compound Access Lists

What are they? Well, you sort of setup a multiple set of ACL's that you then tie
into the interface in the order you wish. The beauty of it is that if you change
some things all the time, and some others MUST be the same (like the ALLOW ALL
at the bottom) You can be safe that the allow all at the bottom, if on one of
the compund lists, will not get broken.

Here is a more detailed explanation:

Current Setup.

Interface Ethernet1/0
ip access-group internet-inbound in
!
ip access-list extended internet-inbound
deny 1.2.3.4 any
deny 2.3.4.5 any
deny 3.4.5.6 any
permit 130.130.0.0 0.0.255.255 any

If I paste this list in, and somehow the buffer gets overloaded (think HUGE LIST
in real routers :-)) and the last line does not make it, and you don't catch it
(yes, I do this a lot more than I care to admit) or whatever happens, you're
screwed.

Compound list way
-----------------
Interface Ethernet1/0
ip access-group internet-inbound-01 in
ip access-group internet-inbound-02 in
!
ip access-list extended internet-inbound-01
deny 1.2.3.4 any
deny 2.3.4.5 any
deny 3.4.5.6 any
ip access-list extended internet-inbound-02
permit 130.130.0.0 0.0.255.255 any

The router still treats it like a regular list (as if it were one list... ) but
it parses them separately. If I fat finger the portion that needs constant
updating, so what, general traffic is unaffected. The order under the interface
is critical and will follow the rule of last entered, last in sequence.

Comments?

-- 


This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:43 GMT-3