On Fri, Jun 01, 2007 at 10:11:16AM +0300, John Kougoulos wrote: > my preferred method is to upload the acl with tftp, ofcourse with the > first line "permit tcp any any established" ... > Gert Doering wrote: >> But usually you're dead in the water as soon as you copy-and-paste a >> new version of the ACL and the first line gets active, prohibiting any >> further lines to go through...
My handy script, aclmaker, takes care of most of these issues automatically. It uploads a test version of the ACL with a different name to assure that the syntax is OK, then modifies the access-group statement for each interface that references the ACL to point to the test ACL, then re-uploads the new ACL with the right name, and finally switches the access-group statements back to the new ACL under its correct name so that the switchover to the new ACL happens in one stroke. If you use aclmaker, you will only get locked out if you write an ACL that locks you out. There are never any partial ACLs applied to an interface, and the window where the interface has no ACL applied to it is minimized. You can edit ACLs with your favorite text editor, even if they're hundreds of lines long, and then upload them to the router. It also supports a "diff" command so you can compare a locally edited ACL to the one on the router. http://sourceforge.net/project/showfiles.php?group_id=25401 You can also do things like this on the command line on your Unix host: # copy every ACL on the router into an individual file on the local host for acl in $(aclmaker list); do aclmaker get $acl; done # run a command on the Cisco and pipe its output to a local shell command aclmaker cmd 'show ip route' | wc -l # test an ACL for syntax errors before uploading it aclmaker test FILENAME Requires a Unix-ish system with Perl and a few Perl modules. One of these days I'll upgrade it to work with RANCID which should make it a bit easier to use (assuming you've already climbed over RANCID's learning curve). _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
