Cabletron Systems 9032578-05 manual Maintaining ACLs Using the ACL Editor

Chapter 19: Access Control List Configuration Guide

Suppose the following ACL commands are stored in a file on some hosts:

The first command, no acl *, negates all commands that start with the keyword, “acl”. This tells the SSR to remove the application and the definition of any ACL. You can be more selective if you want to remove only ACL commands related to, for instance, ACL 101 by entering, no acl 101 *. The negation of all related ACL commands is important because it removes any potential confusion caused by the addition of new ACL rules to existing rules. Basically, the no acl command cleans up the system for the new ACL rules.

Once the negation command is executed, the second and the third commands proceed to redefine ACL 101. The final command applies the ACL to interface int12.

If the changes are accessible from a TFTP server, you can upload and make the changes take effect by issuing commands like the following:

ssr# copy tftp://10.1.1.12/config/acl.changes to scratchpad ssr# copy scratchpad to active

The first copy command uploads the file acl.changes from a TFTP server and puts the commands into the temporary configuration area, the scratchpad. The administrator can re-examine the changes if necessary before committing the changes to the running system. The second copy command makes the changes take effect by copying from the scratchpad to the active running system.

If you need to re-order or modify the ACL rules, you must make the changes in the acl.changes file on the remote host, upload the changes, and make them effective again.

Maintaining ACLs Using the ACL Editor

In addition to the traditional method of maintaining ACLs using TFTP or RCP, the SSR provides a simpler and more user-friendly mechanism to maintain ACLs: the ACL Editor.

The ACL Editor can only be accessed within Configure mode using the

acl-editcommand. You edit an ACL by specifying its name together with the acl-editcommand. For example, to edit ACL 101, you issue the command acl-edit 101. The only restriction is that when you edit a particular ACL, you cannot add rules for a different ACL. You can only add new rules for the ACL that you are currently editing. When the editing session is over, that is, when you are done making changes to the ACL, you can save the changes and make them take effect immediately. Within the ACL editor, you can add new rules (add command), delete existing rules (delete command) and re-order the rules (move command). To save the changes, use the save command or simply exit the ACL Editor.