From: Hansang Bae (hbae@nyc.rr.com)
Date: Wed Sep 04 2002 - 06:04:06 GMT-3
At 01:56 AM 9/4/2002 -0400, Manny Gonzalez wrote:
>Because of issues with a constantly updated ACL on a router and my humongous fat fingers, I am recommending/asking/suggesting a new feature in IOS:
>
>Compound Access Lists
>
>What are they? Well, you sort of setup a multiple set of ACL's that you then tie into the interface in the order you wish. The beauty of it is that if you change some things all the time, and some others MUST be the same (like the ALLOW ALL at the bottom) You can be safe that the allow all at the bottom, if on one of the compund lists, will not get broken.
>[snip]
>The router still treats it like a regular list (as if it were one list... ) but it parses them separately. If I fat finger the portion that needs constant updating, so what, general traffic is unaffected. The order under the interface is critical and will follow the rule of last entered, last in sequence.
I'm all for adding more logic to IOS. But in the mean time, doing this via VTY/Console is just ASKING for problems. My standard verbiage for any large ACL changes (several hundred lines at a time) MANDATES using tftp. Followed by a quick diff on before and after configs.
hsb
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:43 GMT-3