Modifying an existing (in use) Access List

[hinesjrh]

Is there a document somewhere that provides step-by-step instructions for modifying an existing Access Control List? I have two Extended Access Control Lists on a 3640 router (running IOS 12.2) that I need to add lines to (in the middle of the current statements). Of course I don't want to mess up my production environment, so I think I need to use a TFTP server and text editor. However, I have not done this before except in a lab setting.

 

[ADB100]

I use notepad and cut and paste.....

no ip access-list extended test
ip access-list extended test
permit etc

It is unlikely you will see any issues - maybe a 'blip'?

You could do it as you say by copying off the config, editing it and uploading back to the router then typing 'copy startup-conf running-conf' but I think you will still see a similar blip.

Andy

 

[jneiberger]

1. Copy access list from config into Notepad and make changes.

2. Remove access list from interface on router

3. Remove access list from router (no ip access-list extended <name>)

4. Paste in updated access list

5. Put the access list back on the interface

 

[chieftan999]

As jneiberger above says.....

MAKE SURE you remove the access group from the interface first or you may well lose connectivity to the device.

Reamin positive. The affect on those around you will amaze.

 

[hinesjrh]

Just a few more questions.

Thanks for all your help so far!!!

Can I safely do the cut, paste, and edit the text in a text editor prior to actually making any changes on the router (removing the access list from the interface, removing the access list from the router, and of course moving the newly modified list back to the router)?

The suggestion of having a line read "no access-list 101" - is that actually the first line of text in the ACL?

I have two current access lists running in my router (101 and 102). How do I tell if they are addressing inbound or outbound traffic?

What is the command for copying an access list from my TFTP server to the router?

 

[Lundah]

Cut and paste shouldn't do anything to the router, all you're doing is taking the text out of the terminal program and dropping into a text editor.

The "no access-list" command deletes the exisiting access-list, which is why you need to remove it from the interface first.

"sho ip interface" should tell you which direction the ACL is applied to, assuming it's an IP access list of course

I can't help you with the TFTP, my ACL's are usually so short it's easier for me to just cut and paste from Notepad into Procomm.

 

[ADB100]

You could also create another ACL with the changes and then change the access-group on the interface. CiscoWorks VMS does this with ACL's - it adds '_01' to the end of the original ACL name, attaches the ACL to the interface and then removes the original ACL. Next time the ACL is changed it removes the '_01' etc.

Andy

 

[vipergg]

Or you could upgrade to 12.3 and you can put entries in on the fly anywhere within the current acl without disrupting anything . They finally got smart and put something useful in the code .