Updated ACLs via CW

vnealy · ‎10-15-2006

I eed to push one line to my ACLs on all of my routers. It is an allow. Does anyone know if I need to rewrite the entire ACL or will CW push the one line into place on the existing one?

Thanks in advance.

Joe Clarke · ‎10-15-2006

The Access List Manager application (part of RWAN 1.x and VMS 2.3) can do this. Within LMS, there is not an application geared to this kind of ACL editing. However, you can make use of Config Editor and the order-sensitive feature of Baseline Templates to do basic editing. However, the ACL must be removed to change it, and this can leave you vulnerable for a short time, and may lock you out mid-edit.

To get around the lock out problem, you could deploy the ACL using SNMP and TFTP instead of a line-by-line method like SSH or telnet. Alternatively, you could create another ACL with all of the ACE rules you want, then switch the access-class or access-group to that new ACL number. Or, you could apply a temporary ACL that locks out all put the CiscoWorks server, and switch your access-class or access-group to that new number. then execute another job that makes the desired changes to your real ACL. Then switch your access-class or access-group back when it's done.

vnealy · ‎10-15-2006

Thanks for the quick reply.

I am looking to do a deploy during one of our Maintenence Windows. I was thinking of using Netconfig also. So, it looks like I've got some rewriting to do?

Thanks.

Joe Clarke · ‎10-15-2006

You could use Netconfig for the other options I presented, but if your job simply consists of:

access-list 101 permit tcp any host x.x.x.x eq 80

It will just tack that ACE to the end of ACL 101 (which does not sound like what you want).

vnealy · ‎10-15-2006

Thanks!