From: Manny Gonzalez (gonzalu@nyp.org)
Date: Wed Sep 04 2002 - 20:25:43 GMT-3
Well, bigger problem. The ACL is actuall inbound on the ONLY interface from the
network. I guess I could do it from outside, but this violates all the security
policies we have adhered to. I actullay do it via the CONSOLE PORT itself via OBM and
it works.. but I have the buffer overrun problem.
The other way I do it (which is a real pain in the ass) is to do a TFTP to FLASH then
do a COPY FLASH RUN .. but this takes forever on some routers (like one line every 5
seconds...)
Any way you cut it, it is a pain. Even doing the copy tftp run or copy flash run is
problematic cause you still can have missing lines.
:-)
Manny
Roderick B. Greening wrote:
> Why not simply copy tftp run the text file from a tftp server. Only include
> the ACL in the file. This will merge with the existing config and prevent
> cut/paste errors.
>
> -----Original Message-----
> From: Manny Gonzalez [mailto:gonzalu@nyp.org]
> Sent: Wednesday, September 04, 2002 3:27 AM
> To: ccielab@groupstudy.com
> Subject: New IOS Feature Request
>
>
> Because of issues with a constantly updated ACL on a router and my humongous
> fat
> fingers, I am recommending/asking/suggesting a new feature in IOS:
>
> Compound Access Lists
>
> What are they? Well, you sort of setup a multiple set of ACL's that you then
> tie
> into the interface in the order you wish. The beauty of it is that if you
> change
> some things all the time, and some others MUST be the same (like the ALLOW
> ALL
> at the bottom) You can be safe that the allow all at the bottom, if on one
> of
> the compund lists, will not get broken.
>
> Here is a more detailed explanation:
>
> Current Setup.
>
> Interface Ethernet1/0
> ip access-group internet-inbound in
> !
> ip access-list extended internet-inbound
> deny 1.2.3.4 any
> deny 2.3.4.5 any
> deny 3.4.5.6 any
> permit 130.130.0.0 0.0.255.255 any
>
> If I paste this list in, and somehow the buffer gets overloaded (think HUGE
> LIST
> in real routers :-)) and the last line does not make it, and you don't catch
> it
> (yes, I do this a lot more than I care to admit) or whatever happens, you're
>
> screwed.
>
> Compound list way
> -----------------
> Interface Ethernet1/0
> ip access-group internet-inbound-01 in
> ip access-group internet-inbound-02 in
> !
> ip access-list extended internet-inbound-01
> deny 1.2.3.4 any
> deny 2.3.4.5 any
> deny 3.4.5.6 any
> ip access-list extended internet-inbound-02
> permit 130.130.0.0 0.0.255.255 any
>
> The router still treats it like a regular list (as if it were one list... )
> but
> it parses them separately. If I fat finger the portion that needs constant
> updating, so what, general traffic is unaffected. The order under the
> interface
> is critical and will follow the rule of last entered, last in sequence.
>
> Comments?
--
This archive was generated by hypermail 2.1.4 : Mon Oct 07 2002 - 07:43:44 GMT-3