Maintaining acls offline using tftp or rcp – Cabletron Systems SmartSwitch Router 9032578-02 User Manual
Page 175
SmartSwitch Router User Reference Manual
175
Chapter 10: Security Configuration Guide
creating additional delay. Therefore, one should consider the potential performance
impact before turning on ACL Logging.
Maintaining ACLs Offline Using TFTP or RCP
The SSR provides two mechanisms to maintain and manipulate ACLs. The traditional
method used by some of the other popular routers require the use of TFTP or RCP. With
this mechanism, the administrator is encouraged to create and modify ACLs on a remote
host. The administrator can use his or her favorite editor to edit, delete, replace or reorder
ACL rules in a file. Once the changes are made, the administrator can then download the
ACLs to the router using TFTP or RCP and make them take effect on the running system.
The following example describes how one can use TFTP to help maintain ACLs on the
SSR. Suppose the following ACL commands are stored in a file on some hosts:
The first command,
no acl *
, negates all commands that start with the keyword, “acl”.
This tells the router to remove the application and the definition of any ACL. The
administrator can be more selective if he or she wants to remove only ACL commands
related to, for instance, ACL 101 by saying,
no acl 101 *
. The negation of all related
ACL commands is important because it removes any potential confusion caused by the
addition of new ACL rules to existing rules. Basically, the
no acl
command cleans up the
system for the new ACL rules.
Once the negation command is executed, the second and the third commands proceed to
redefine ACL 101. The final command applies the ACL to interface ssr12.
If the changes are accessible from a TFTP server, one can download and make the changes
take effect by issuing commands like the following:
The first copy command downloads the file acl.changes from a TFTP server and puts the
commands into the temporary configuration area, scratchpad. The administrator can re-
examine the changes if necessary before committing the changes to the running system.
The second copy command make the changes take effect by copying from the scratchpad
to the active running system.
If the administrator needs to re-order or modify the ACL rules, one must make the
changes in the acl.changes file on the remote host, download the changes and make them
effective again.
no acl *
acl 101 deny tcp 10.11.0.0/16 10.12.0.0/16
acl 101 permit tcp 10.11.0.0 any
acl 101 apply interface ssr12 input
copy tftp://10.1.1.12/config/acl.changes to scratchpad
copy scratchpad to active