On 5/30/07, Leonardo Souza <[EMAIL PROTECTED]> wrote:
> I have some ACL and Receive ACL applied on my routers.
> I'd like to know if it's secure update them doing:
If you're running a release that supports sequenced access-lists, you
can make incremental updates in-place with:
router#sh ip access-lists 199
Extended IP access list 199
10 deny tcp any eq telnet any
20 permit ip any any
router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#ip access-list extended 199
router(config-ext-nacl)#5 permit tcp host 172.1.1.1 eq 23 any
router(config-ext-nacl)#do sh ip access-list 199
Extended IP access list 199
5 permit tcp host 172.1.1.1 eq telnet any
10 deny tcp any eq telnet any
20 permit ip any any
router(config-ext-nacl)#no 10
router(config-ext-nacl)#do sh ip access-list 199
Extended IP access list 199
5 permit tcp host 172.1.1.1 eq telnet any
20 permit ip any any
router(config-ext-nacl)#5 permit tcp host 172.1.1.1 eq 23 any
router(config-ext-nacl)#do sh ip access-list 199
Extended IP access list 199
5 permit tcp host 172.1.1.1 eq telnet any
10 deny tcp any eq telnet any
20 permit ip any any
router(config-ext-nacl)#no 10
router(config-ext-nacl)#do sh ip access-list 199
Extended IP access list 199
5 permit tcp host 172.1.1.1 eq telnet any
20 permit ip any any
router(config-ext-nacl)#
If you are wiping them out, you should always remove them to be safe
(even if weren't default-deny behavior when missing, there is an
unavoidable window between creation and completion).
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
