irotas
join:2005-12-30
Arlington, MA
edit:
January 6th, @11:08PM
| Question regarding named extended ACL lists
I have a Catalyst 2950 running IOS 12.1. Basically what I want to accomplish is the following:
By default, everyone is allowed to use the switch. However, occasionally I may determine that a particular host (defined by source address and source port) is malicious, and shall be denied access to the switch.
I am currently using a named ACL list because it's easier to maintain the list (e.g., I can remove entries without recreating the entire list).
Also, I am using the extended format, because I want to also specify the source port when blocking a host.
Since there is an implicit 'deny all' at the bottom of the list, I always end the list with 'permit any'
The trouble is that when inserting new rules, the new rule goes in *after* the 'permit any'. Therefore, what I am doing to correct that is to remove the 'permit any' and re-insert it, which puts it at the end of the list.
The problem is, when I remove the 'permit any', *all* traffic is denied until I re-insert the 'permit any' at the end. This side-effect is unacceptable in the environment where the switch is to be deployed.
What's strange is that standard ACL lists actually keep the 'permit any' at the bottom of the list when new rules are inserted. I don't understand why standard and extended behave differently here.
Anyhow, I'm sure there's some clever way to do what I need without this nasty side-effect. Anyone have any ideas?
Another constraint is that there are tight constraints on the latency of inserting the rule. The environment requires the rule become active very quickly, which probably rules out any solutions using tftp.
Thanks again,
Adam
|
|
thebajaguy
Premium
join:2006-01-06
Oaklyn, NJ
 ·Verizon BroadbandA..
| I have the same issue when I mess with ACL's on routers. I use ACL's 100 and 101 normally, but my updates get done to 110, 111, 112, etc. You have to negate them first, then refeed the entire list back in the order you want. Then just tell the port (or interface) in question to switch to that ACL name/number. I haven't tried it on a switch, but it may do what you want. |
|
csalazarv
Premium
join:2004-01-21
Costa Rica
edit:
January 7th, @06:33AM
| reply to irotas
Take a look at this thread and specifically the fourth post and on
»Cisco 12000 ISO - access-list deny , its about ACLs on routers but it might work too on switches |
|
vipergg
join:2003-12-17
| reply to irotas
I know on newer codes , think it is 12.2 and above the ACE's have numbers in front of the entrys and you can put any new entry basically where you want but that doesn't help you because I don't think 2950's have code in the 12.2 train at this point only 12.1 . You can check though by doing a "show access-lists" and see if they display numbers in front of the entrys . |
|
irotas
join:2005-12-30
Arlington, MA
| reply to irotas
The version of IOS currently on the 2950 does not have the sequence number in front of the ACL entries.
So the obvious next question is, how hard/risky is it to upgrade the switch to a newer version of IOS that supports these sequence numbers?
The switch is in a development lab at the moment, so downtime is not an issue.
Thanks again,
Adam |
|
Phraxos
Premium
join:2004-06-12
UK
| It's no harder than upgrading a router really and there are similar mechanisms for recovering the situation if you really screw up and have a bad flash 
If you have access to the images you should also be able to find instructions on the cisco site but there are also instrucitons in the FAQ here »Cisco Forum FAQ »How do I upgrade an IOS tar file on a 2950 Catalyst switch? |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
| reply to irotas
Have you looked at any of the nifty scripts out there that do this?
»easynews.dl.sourceforge.net/sour···1.03.txt
Ed, the guy that wrote this, uses this all the time at Panix on live stuff.
--
enjoy zesty ranch man-flavored baby tacos responsibly |
|
