Solved

How to update ip acl for multiple switches

Posted on 2016-08-05
5
50 Views
Last Modified: 2016-08-10
I am not an expert to Cisco networking and would need to update ip acl for multiple catalyst 2960. Instead of doing it one by one, is there any way to update just once? All switches are previously configured as VTP transparent.
I'd be grateful if someone could help me out.
0
Comment
Question by:techy98
  • 2
  • 2
5 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
Comment Utility
I do not believe VTP in transparent mode permits the management of ACLs across switches.

That being said, if you have a homogeneous environment, and you have PuTTY installed, you can use PLink in a script to login to each switch and run a scripted series of console commands.  The console script would include everything you would need to do if you were simple SSH'd into the switch.

Whether you did the process manually or scripted it would entirely depend upon how many switches you have and how often you need to make changes.

One thing I would most definitely do prior to making any changes via script would be to use a script to backup the configurations of all of the switches.  This way, if your change script runs amok, you can readily restore the device's previously running configuration with little interruption to operations.
1
 

Author Comment

by:techy98
Comment Utility
Thanks! that will be am additional function in putty that I can further look into.
Just wondering, what if all switches are VTP client mode under same VTP domain, would it be another way to configure just one switch and have the updated detail (e.g. new vlan or acl) synchronise across all other switches?
0
 
LVL 26

Expert Comment

by:Predrag Jovic
Comment Utility
Advertising ACL's is not function of VTP.
VTP will advertise list of VLANs in VTP domain, and you can use it for propagating newly creating VLANs to whole VTP domain, but you also must be aware of potential problems so please read it.
Cisco article - Understanding VTP
Be always aware of this one:
How a Recently Inserted Switch Can Cause Network Problems

This problem occurs when you have a large switched domain that is all in the same VTP domain, and you want to add one switch in the network.

This switch was previously used in the lab, and a good VTP domain name was entered. The switch was configured as a VTP client and was connected to the rest of the network. Then, you brought the ISL link up to the rest of the network. In just a few seconds, the whole network was down. How did this happen?

The configuration revision number of the switch that you inserted was higher than the configuration revision number of the VTP domain. Therefore, your recently introduced switch, with almost no configured VLANs, erased all VLANs through the VTP domain.

This occurs whether the switch is a VTP client or a VTP server. A VTP client can erase VLAN information on a VTP server. You can tell that this has occurred when many of the ports in your network go into inactive state but continue to be assigned to a nonexistent VLAN.

For propagation of ACLs to many switches, as WalkaboutTigger already said, you can do it manually or to automate it by using script. Typically there is no reason to have the same ACL on all switches.
1
 

Author Comment

by:techy98
Comment Utility
Thanks so much for further clarification. Without using VTP, when I add a new VLAN on a switch, do I also adopt same (manual or automate by script) for rest of switches? I have about 6 catalyst 6509 and 97 catalyst 2905/2960.
0
 
LVL 26

Accepted Solution

by:
Predrag Jovic earned 500 total points
Comment Utility
Without using VTP, when I add a new VLAN on a switch
If you use transparent mode you need to type it on all switches (or use automate scripting - if you have NCM in your network typically you can implement it that way), but if you use VTP it will be automatically propagated (in your case it is highly recommended to use VTP). And also depending on state of your network maybe even to use several VTP domains (depending on network topology - e.g each building can have own VTP domain and core switches should have its own VTP domain).
Changing VTP domain to transparent mode and then back to client or server mode will reset VTP revision number to 0. But I guess you know that should be done always prior to adding switch to production network. I always configure switches in transparent mode prior to connecting to production network and then change it to client mode (or server), it is double security measure... If VTP password is not good trunk will function properly (I always configure only basic VLANs prior to adding switch to network), if after switching to client mode I lose connecting most likely only password is not OK, since trunk worked previously (I changed VTP mode to client), so technicians need to reset switch and it will again be available. Second security measure is mentioned previously - at the same time VTP revision number is reset to 0.
BUT, in my opinion this is a must, since someone recklessly can destroy whole VTP domain. You can recognize it easy - all lights (or almost all) on switches will become amber since VLANs that are assigned to ports will be deleted. In that case backup will not help you - you will most likely need to manually type all VLANs as fast as you can. :)
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
This article will step through configuring a SonicWALL appliance to utilize an internal DHCP server for Global VPN Client (GVC) hosts.  There are times when using an external (external to the SonicWALL) DHCP server, such as Windows Servers, isn’t pr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now