Monday, December 16, 2002 Highlights

? ?

ACL Update Procedures on the Gateway need to be minimally disruptive. Exposure time of having no ACL needs to be minimized.

Updating Security ACLs

Version 0.1

Intro
Updating ACLs used for security on the edge of a network have two key requirements. First, updates needs to be minimally disrupted to the operational environment. And second, updates need to minimize exposure time when there is no ACL applied to the interface. To meet these requirements, network operators need to know the details of the load/update characteristics of ACLs on their products. These load/update characteristics may differ depending on the operating system, software versions, product, and forwarding/feature ASIC used. Knowing the details allows a network operator to match their procedures to the operating characteristics of the platforms ACL achieving the desired objective of minimized exposure time and operational risk.

Recommended Procedure Without Ciscos ACL Manager

Most ISPs do not use an application like Ciscos ACL Manager. Instead, they create their own specialized scripts to update their security ACLs. To meet the objectives of minimized exposure and operational risk, many ISPs use a two ACL staged update. This allows the ISP to work with IOSs operational behavior while meeting their operational objectives. The procedure involved having two copies of the ACL allowing for sanity checking and a quick switch between the old ACL and the updated ACL. 1. Have two ACLs - one active, and the other for updates (ACL xxx and ACL yyy). The following steps use ACL 150 and ACL 151 for demonstration purposes. 2. Load Updated ACL. If ACL 150 is currently applied to the interface and a new ACL needs to be loaded, load the new ACL first as a different number. In this case, it would be loaded as ACL 151. That way the ACL can be loaded and checked before application to the interface. This also allows for a quick switch from the active ACL (ACL 150) to the updated ACL (ACL 151). 3. Activate the Updated ACL. Once the upload is complete and verified, swap the interface's access-group using " access -group 151." This command results in ACL 151 ip immediately taking over. By default, IOS will not let you have more than one access list
Cisco Systems, Inc. 170 West Tasman Drive. San Jose, CA 95134 -1706 Phone: +1 408 526-4000 Fax: +1 408 536-4100 1

Monday, December 16, 2002 active (in the same direction) on a given interface; therefore, the old access list is removed when the new one is activated. 4. New Update. The next time you need to update the ACL, you edit ACL 150 via an off-line text editor, upload it, and activate it as specified in steps one through four above. A change management procedure is strongly encouraged to track the active versus editable ACL. Use of the Named ACL description command, as well as the version numbers for each individual Named ACL using the remark command.

General ACL Update Guidelines with IOS

? All ACL changes should be made in an off-line text editor before being up loaded into the router. Once uploaded, use show commands to check for accuracy. At this time, you cannot add/delete specific Access Control Entries (ACEs) from the ACL. ACL Sequence Numbers will add this support in future IOS versions All updates require a new ACL load. The first line of the newly modified ACL is a "no access -list XXX." In this example the updated ACL is 151. So the first line of the update needs to be "no access-list 151 followed by the new ACL. This will remove the currently old ACL from all LCs, VIPs, and processes insure there is no confusion in the system. Use Named ACLs. Named ACLs provide addition features that help manage ACLs on a router. The description and remarks commands are two very useful features for providing in-band documentation of the ACL. Mix. Do Not Mix Named ACL Updates with traditional extended ACL Updates. There are side effectives when ACLs are created with one and updated with the other. It is best to pick one (Named ACLs are preferred) and stick with that CLI syntax.

Cisco Systems, Inc. 170 West Tasman Drive. San Jose, CA 95134 -1706 Phone: +1 408 526-4000 Fax: +1 408 536-4100