ACL Update Procedures
of 2
Transcript of ACL Update Procedures
-
7/31/2019 ACL Update Procedures
1/2
Monday, December 16, 2002
Cisco Systems, Inc. 1170 West Tasman Drive.San Jose, CA 95134-1706
Phone: +1 408 526-4000Fax: +1 408 536-4100
Highlights
? ACL Update Procedures on the Gateway need to be minimally disruptive.? Exposure time of having no ACL needs to be minimized.
Updating Security ACLsVersion 0.1
Intro
Updating ACLs used for security on the edge of a network have two key requirements. First,updates needs to be minimally disrupted to the operational environment. And second, updates
need to minimize exposure time when there is no ACL applied to the interface. To meet theserequirements, network operators need to know the details of the load/update characteristics of
ACLs on their products. These load/update characteristics may differ depending on theoperating system, software versions, product, and forwarding/feature ASIC used. Knowingthe details allows a network operator to match their procedures to the operating
characteristics of the platforms ACL achieving the desired objective of minimizedexposure time and operational risk.
Recommended Procedure Without Ciscos ACL Manager
Most ISPs do not use an application like Ciscos ACL Manager. Instead, they create theirown specialized scripts to update their security ACLs. To meet the objectives of minimized
exposure and operational risk, many ISPs use a two ACL staged update. This allows the ISPto work with IOSs operational behavior while meeting their operational objectives. Theprocedure involved having two copies of the ACL allowing for sanity checking and a quick
switch between the old ACL and the updated ACL.
1. Have two ACLs - one active, and the other for updates (ACL xxx and ACL yyy). Thefollowing steps use ACL 150 and ACL 151 for demonstration purposes.
2. Load Updated ACL. If ACL 150 is currently applied to the interface and a new ACLneeds to be loaded, load the new ACL first as a different number. In this case, it would be
loaded as ACL 151. That way the ACL can be loaded and checked before application to theinterface. This also allows for a quick switch from the active ACL (ACL 150) to the updatedACL (ACL 151).
3. Activate the Updated ACL. Once the upload is complete and verified, swap the
interface's access-group using "ip access-group 151." This command results in ACL 151immediately taking over. By default, IOS will not let you have more than one access list
-
7/31/2019 ACL Update Procedures
2/2
Monday, December 16, 2002
Cisco Systems, Inc. 2170 West Tasman Drive.San Jose, CA 95134-1706
Phone: +1 408 526-4000Fax: +1 408 536-4100
active (in the same direction) on a given interface; therefore, the old access list is removedwhen the new one is activated.
4. New Update. The next time you need to update the ACL, you edit ACL 150 via an off-line
text editor, upload it, and activate it as specified in steps one through four above. A changemanagement procedure is strongly encouraged to track the active versus editable ACL. Useof the Named ACL description command, as well as the version numbers for each individual
Named ACL using theremarkcommand.
General ACL Update Guidelines with IOS
? All ACL changes should be made in an off-line text editor before being up loadedinto the router. Once uploaded, use show commands to check for accuracy. At thistime, you cannot add/delete specific Access Control Entries (ACEs) from the ACL.
ACL Sequence Numbers will add this support in future IOS versions
? All updates require a new ACL load. The first line of the newly modified ACL is a"no access-list XXX." In this example the updated ACL is 151. So the first line of the
update needs to be "no access-list 151 followed by the new ACL. This will removethe currently old ACL from all LCs, VIPs, and processes insure there is no
confusion in the system.? Use Named ACLs. Named ACLs provide addition features that help manage ACLs
on a router. The description and remarks commands are two very useful features for
providing in-band documentation of the ACL. Mix.
? Do Not Mix Named ACL Updates with traditional extended ACL Updates. Thereare side effectives when ACLs are created with one and updated with the other. It is
best to pick one (Named ACLs are preferred) and stick with that CLI syntax.
