Creating or editing an ACL offline

The section titled Editing an existing ACL describes how to use the CLI to edit an ACL, and is most applicable in cases where the ACL is short or there is only a minor editing task to perform. The offline method provides an alternative to using the CLI for creating or extensively editing a large ACL. This section describes how to:

  • Move an existing ACL to a TFTP server

  • Use a text (.txt) file format to create a new ACL or edit an existing ACL offline

  • Use TFTP to load an offline ACL into the switch’s running-config

For longer ACLs that may be difficult or time-consuming to accurately create or edit in the CLI, you can use the offline method described in this section.

NOTE:

Copy commands that used either tftp or xmodem also include an option to use usb as a source or destination device for file transfers. So although the following example highlights tftp, bear in mind that xmodem or usb can also be used to transfer ACLs to and from the switch.

Procedure
  1. Begin by doing one of the following:
    • To edit one or more existing ACLs, use copy command–output tftpto copy the current version of the ACL configuration to a file in your TFTP server. For example, to copy the ACL configuration to a file named acl-02.txt in the TFTP directory on a server at 10.28.227.2:
      switch# copy command-output 'show access-list
      config' tftp 10.28.227.2 acl02.txt pc
    • To create a new ACL, open a text (.txt) file in the appropriate directory on a TFTP server accessible to the switch.

  2. Use a text editor to create or edit the ACL(s) in the *.txt ASCII file format.

    If you are replacing an ACL on the switch with a new ACL that uses the same number or name syntax, begin the command file with a no ip access-list command to remove the earlier version of the ACL from the switch running-config file. Otherwise, the switch will append the new ACEs in the ACL you download to the existing ACL.

    For example, if you planned to use the copy command to replace ACL "List-120", place this command at the beginning of the edited file:

    no ip access-list extended List-120
    Figure 68: An offline ACL file designed to replace an existing ACL
  3. Use copy tftp command-file to download the file as a list of commands to the switch.
  4. Use the show run or show access-list config command to inspect the switch configuration to ensure that the ACL was properly downloaded.

NOTE:

If a transport error occurs, the switch does not execute the command and the ACL is not configured.