The offline process
Procedure
-
Begin by doing one of the following:
- To edit one or more existing ACLs, use
copy command–output tftp
to copy the current version of the ACL configuration to a file in your TFTP server. For example, to copy the ACL configuration to a file namedacl–001.txt
in the TFTP directory on a server at FE80::2a1:200:Switch# copy command–output 'show access-list config' tftp fe80::2a1:200 acl–001.txt pc
- To create a new ACL, open a text (.txt) file in the appropriate directory on a TFTP server accessible to the switch.
- To edit one or more existing ACLs, use
-
Use a text editor to create or edit the ACLs in the
*.txt
ASCII file format. -
If you are replacing an ACL on the switch with a new ACL that uses the same number or name Syntax:, begin the command file with a
no ip access-list
command to remove the earlier version of the ACL from the switch's running-config file. Otherwise, the switch will append the new ACEs in the ACL you download to the existing ACL. For example, if you planned to use thecopy
command to replace an ACL named "List-120", you would place this command at the beginning of the edited file:no ipv6 access-list List–120
no ipv6 access-list List–120 1 ip access-list "List–120" 10 remark "THIS ACE ALLOWS TELNET" 10 permit tcp fe80::17/128 ::/0 eq 23 20 deny ipv6 fe80::123/128 fe80::/125 log 30 deny ipv6 fe80::255/128 fe80::/125 log 40 remark "THIS IS THE FINAL ACE IN THE LIST" 40 permit ipv6 ::/0 ::/0 exit
1 Removes an existing ACL and replaces it with a new version with the same identifier. To append new ACEs to an existing ACL instead of replacing it, you would omit the first line and ensure that the sequence numbering for the new ACEs begin with a number greater than the highest number in the existing list. -
Use
copy tftp command–file
to download the file as a list of commands to the switch.Usingcopy tftp command–file
to configure an ACL in the switchSwitch(config)# copy tftp command–file fe80::1ad:17 acl–001.txt pc Running configuration may change, do you want to continue[y/n]? y 1. ipv6 access-list "acl–001" 6. ; CREATED ON JUNE 10 10. 10 remark "Telnet Denied Here" 13. 10 deny tcp 2001:db8:0:1af::/64 ::/0 eq 23 16. 30 deny tcp ::/0 ::/0 log 19. 40 deny icmp 2001:db8:0:1af::/64 ::/0 134 22. 50 deny icmp 2001:db8:0:1af::/64 ::/0 133 27. ; PERMITS IPV6 ANY ANY 31. 60 permit ipv6 ::/0 ::/0 34. exit 36. vlan 20 ipv6 access–group acl–001 vlan
NOTE:Blank lines may appear in the command output when you copy the command file to the switch. However, they are eliminated in the copy of the ACL in switch memory. This is normal operation.
-
In this example, the command to assign the ACL to a VLAN was included in the
.txt
command file. If this is not done in your applications, the next step is to manually assign the new ACL to the intended VLAN:vlan <vid> ipv6 access–group <identifier> <vlan-in|vlan-out>
-
You can then use the
show run
orshow access-list config
command to inspect the switch configuration to ensure that the ACL was properly downloaded. Verifying the.txt
file download to the switch:Switch(config)# show run . . . ipv6 access-list "acl–001" 10 remark "Telnet Denied Here" 10 deny tcp ::/0 ::/0 eq 23 30 deny tcp ::/0 ::/0 log 40 deny icmp ::/0 ::/0 134 50 deny icmp ::/0 ::/0 133 60 permit ipv6 ::/0 ::/0 exit . . . vlan 20 1 ipv6 access–group "acl–001" vlan-in exit . . .
1 As a part of the instruction set included in the .txt file, the ACL is assigned to inbound IP traffic on VLAN 20NOTE:The comment preceded by " ; " in the .txt source file for this configuration do not appear in the ACL configured in the switch
-
If the configuration appears satisfactory, save it to the startup-config file:
Switch(config)# write memory