RE: New IOS Feature Request

From: Roderick B. Greening (rgreening@gt.ca)
Date: Wed Sep 04 2002 - 12:31:51 GMT-3

• Next message: Noel.MacFadden@swisscom.com: "RE: UDP range 16384 20000 for QOS"
• Previous message: Volkov, Dmitry (Toronto - BCE): "RE: UDP range 16384 20000 for QOS"
• Maybe in reply to: Manny Gonzalez: "New IOS Feature Request"
• Next in thread: Manny Gonzalez: "Re: New IOS Feature Request"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Why not simply copy tftp run the text file from a tftp server. Only include
the ACL in the file. This will merge with the existing config and prevent
cut/paste errors.

-----Original Message-----
From: Manny Gonzalez [mailto:gonzalu@nyp.org]
Sent: Wednesday, September 04, 2002 3:27 AM
To: ccielab@groupstudy.com
Subject: New IOS Feature Request

Because of issues with a constantly updated ACL on a router and my humongous
fat
fingers, I am recommending/asking/suggesting a new feature in IOS:

Compound Access Lists

What are they? Well, you sort of setup a multiple set of ACL's that you then
tie
into the interface in the order you wish. The beauty of it is that if you
change
some things all the time, and some others MUST be the same (like the ALLOW
ALL
at the bottom) You can be safe that the allow all at the bottom, if on one
of
the compund lists, will not get broken.

Here is a more detailed explanation:

Current Setup.

Interface Ethernet1/0
ip access-group internet-inbound in
!
ip access-list extended internet-inbound
deny 1.2.3.4 any
deny 2.3.4.5 any
deny 3.4.5.6 any
permit 130.130.0.0 0.0.255.255 any

If I paste this list in, and somehow the buffer gets overloaded (think HUGE
LIST
in real routers :-)) and the last line does not make it, and you don't catch
it
(yes, I do this a lot more than I care to admit) or whatever happens, you're

screwed.

Compound list way
-----------------
Interface Ethernet1/0
ip access-group internet-inbound-01 in
ip access-group internet-inbound-02 in
!
ip access-list extended internet-inbound-01
deny 1.2.3.4 any
deny 2.3.4.5 any
deny 3.4.5.6 any
ip access-list extended internet-inbound-02
permit 130.130.0.0 0.0.255.255 any

The router still treats it like a regular list (as if it were one list... )
but
it parses them separately. If I fat finger the portion that needs constant
updating, so what, general traffic is unaffected. The order under the
interface
is critical and will follow the rule of last entered, last in sequence.

Comments?

-- 

• Next message: Noel.MacFadden@swisscom.com: "RE: UDP range 16384 20000 for QOS"
• Previous message: Volkov, Dmitry (Toronto - BCE): "RE: UDP range 16384 20000 for QOS"
• Maybe in reply to: Manny Gonzalez: "New IOS Feature Request"
• Next in thread: Manny Gonzalez: "Re: New IOS Feature Request"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:44 GMT-3