onsite_tech
asked on
Router ACL vs Pix ACL
i learned most of my cisco off of a pix so i'm really more used to the PIX syntax but i'm having to work more with routers now. i've found that (and this could be just how i learned so i'm asking here since its a hard question to google), if i want to modify a pix ACL, i can just add/remove/shift around whatever i want in a command or two and i can do it on the same interface that i'm remoting into the pix with (as long as i dont do something stupid like 'deny any any'). however, when it comes to routers, if i want to modify an ACL, i have to basically put a no in front of the whole damned thing, and re-load every line (usually via copy/paste to notepad). this is ok (if tedious) most of the time but if i have to do it on an interface that i'm remoting in through (the outside interface), wouldn't it break my connection and kill my paste in the middle of it going into the router? my experiance with pixes is that the minute you make a change, it takes effect and if you just affected an ACL that was letting you remote in, your going to loose access even before your paste will finish.
so i guess the question is sort of a few small questions instead of one big one. can i add to teh bottom of an ACL without having to recompile? i've always assumed yes but now i'm realizing i never tested this (it doesn't help if the last line is deny any any though, as it usually is), and is there another way or route to go about modifying router ACL's? and if not, how hard would it be for me (remoting in via SSH) to modify the access-list affecting the outside interface of the device?
so i guess the question is sort of a few small questions instead of one big one. can i add to teh bottom of an ACL without having to recompile? i've always assumed yes but now i'm realizing i never tested this (it doesn't help if the last line is deny any any though, as it usually is), and is there another way or route to go about modifying router ACL's? and if not, how hard would it be for me (remoting in via SSH) to modify the access-list affecting the outside interface of the device?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
how do you tell a router to reboot in 5 minutes?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So it seems like, with a few variations, the preferred method for router experts is to unbind the interface, kill the ACL, rebuild the ACL via notepad and reapply it to the interface. This is kind of what i was figuring but knowing thats the best method for most sure makes me feel alot more confident in it. Thanks again everyone for the advice, you guys rule.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a0080134a60.html
It's supported in 12.3.16, and some non-mainline versions of 12.2.