Scribd
Upload
70 views

ACL Update Procedures

The document discusses recommended procedures for updating security ACLs on a network gateway to minimize disruption and exposure time when no ACL is applied. It recommends using a two ACL staged update process, where two copies of the ACL exist - one active and one for updates. The process involves loading the updated ACL, verifying it, then activating it to replace the original ACL. General guidelines are also provided, such as making all ACL changes offline first before uploading and using named ACLs for additional management features.

Uploaded by

aitel
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views

ACL Update Procedures

The document discusses recommended procedures for updating security ACLs on a network gateway to minimize disruption and exposure time when no ACL is applied. It recommends using a two ACL staged update process, where two copies of the ACL exist - one active and one for updates. The process involves loading the updated ACL, verifying it, then activating it to replace the original ACL. General guidelines are also provided, such as making all ACL changes offline first before uploading and using named ACLs for additional management features.

Uploaded by

aitel
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Monday, December 16, 2002 Highlights

? ?

ACL Update Procedures on the Gateway need to be minimally disruptive. Exposure time of having no ACL needs to be minimized.

Updating Security ACLs


Version 0.1

Intro
Updating ACLs used for security on the edge of a network have two key requirements. First, updates needs to be minimally disrupted to the operational environment. And second, updates need to minimize exposure time when there is no ACL applied to the interface. To meet these requirements, network operators need to know the details of the load/update characteristics of ACLs on their products. These load/update characteristics may differ depending on the operating system, software versions, product, and forwarding/feature ASIC used. Knowing the details allows a network operator to match their procedures to the operating characteristics of the platforms ACL achieving the desired objective of minimized exposure time and operational risk.

Recommended Procedure Without Ciscos ACL Manager


Most ISPs do not use an application like Ciscos ACL Manager. Instead, they create their own specialized scripts to update their security ACLs. To meet the objectives of minimized exposure and operational risk, many ISPs use a two ACL staged update. This allows the ISP to work with IOSs operational behavior while meeting their operational objectives. The procedure involved having two copies of the ACL allowing for sanity checking and a quick switch between the old ACL and the updated ACL. 1. Have two ACLs - one active, and the other for updates (ACL xxx and ACL yyy). The following steps use ACL 150 and ACL 151 for demonstration purposes. 2. Load Updated ACL. If ACL 150 is currently applied to the interface and a new ACL needs to be loaded, load the new ACL first as a different number. In this case, it would be loaded as ACL 151. That way the ACL can be loaded and checked before application to the interface. This also allows for a quick switch from the active ACL (ACL 150) to the updated ACL (ACL 151). 3. Activate the Updated ACL. Once the upload is complete and verified, swap the interface's access-group using " access -group 151." This command results in ACL 151 ip immediately taking over. By default, IOS will not let you have more than one access list
Cisco Systems, Inc. 170 West Tasman Drive. San Jose, CA 95134 -1706 Phone: +1 408 526-4000 Fax: +1 408 536-4100 1

Monday, December 16, 2002 active (in the same direction) on a given interface; therefore, the old access list is removed when the new one is activated. 4. New Update. The next time you need to update the ACL, you edit ACL 150 via an off-line text editor, upload it, and activate it as specified in steps one through four above. A change management procedure is strongly encouraged to track the active versus editable ACL. Use of the Named ACL description command, as well as the version numbers for each individual Named ACL using the remark command.

General ACL Update Guidelines with IOS


? All ACL changes should be made in an off-line text editor before being up loaded into the router. Once uploaded, use show commands to check for accuracy. At this time, you cannot add/delete specific Access Control Entries (ACEs) from the ACL. ACL Sequence Numbers will add this support in future IOS versions All updates require a new ACL load. The first line of the newly modified ACL is a "no access -list XXX." In this example the updated ACL is 151. So the first line of the update needs to be "no access-list 151 followed by the new ACL. This will remove the currently old ACL from all LCs, VIPs, and processes insure there is no confusion in the system. Use Named ACLs. Named ACLs provide addition features that help manage ACLs on a router. The description and remarks commands are two very useful features for providing in-band documentation of the ACL. Mix. Do Not Mix Named ACL Updates with traditional extended ACL Updates. There are side effectives when ACLs are created with one and updated with the other. It is best to pick one (Named ACLs are preferred) and stick with that CLI syntax.

Cisco Systems, Inc. 170 West Tasman Drive. San Jose, CA 95134 -1706 Phone: +1 408 526-4000 Fax: +1 408 536-4100

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy