2 maintaining acls using the acl editor, Maintaining acls using the acl editor -7 – Riverstone Networks WICT1-12 User Manual

Riverstone Networks RS Switch Router User Guide Release 8.0 24-7

Access Control List Configuration

Creating and Modifying ACLs

The following ACL commands stored the text file acl.changes will be used to redefine ACL 101 and apply the ACL
to interface int12:

If the changes are accessible from a TFTP server, you can upload and make the changes take effect by issuing
commands like the following:

The first copy command uploads the file acl.no from a TFTP server and puts the commands into the temporary
configuration area, the scratchpad. The second copy command makes the no acl command take effect by copying from
the scratchpad to the active running system, in this case negating all the commands that define and apply ACL 101.
The third copy command uploads the file acl.changes from the TFTP server to the scratchpad. (You can re-examine
the changes if necessary before committing the changes to the running system.) The last copy command makes the
changes take effect by copying commands from the scratchpad to the active running system.

If you need to re-order or modify the ACL rules, you must make the changes in the files on the remote host, upload
the changes, and make them effective again.

24.2.2

Maintaining ACLs Using the ACL Editor

In addition to the method of maintaining ACLs using TFTP or RCP, the RS provides a simpler and more user-friendly
mechanism to maintain ACLs: the ACL editor. The ACL editor is a facility that is used “online,” that is, via CLI on a
Console or Telnet session.

The ACL Editor can only be accessed within Configure mode using the

acl-edit

command. You edit an ACL by

specifying its name together with the

acl-edit

command. For example, to edit ACL 101, you issue the command

acl-edit 101

. The only restriction is that when you edit a particular ACL, you cannot add rules for a different ACL.

You can only add new rules for the ACL that you are currently editing. When the editing session is over, that is, when
you are done making changes to the ACL, you can save the changes and make them take effect immediately. Within
the ACL editor, you can add new rules (

add

command), delete existing rules (

delete

command) and re-order the rules

(

move

command). To save the changes, use the

save

command or simply exit the ACL Editor.

If you edit and save changes to an ACL that is currently being used or applied to an interface, the changes will take
effect immediately. There is no need to remove the ACL from the interface before making changes and reapply it after
changes are made. The process is automatic.

acl 101 deny tcp 10.11.0.0/16 10.12.0.0/16

acl 101 permit tcp 10.11.0.0 any

acl 101 apply interface int12 input

rs

# copy tftp://10.1.1.12/config/acl.no to scratchpad

rs

# copy scratchpad to active

rs

# copy tftp://10.1.1.12/config/acl.changes to scratchpad

rs

# copy scratchpad to active