Possible to modify an access list entry via SNMP ?

Hi,

Can anybody tell me, if it is possible to create, delete or modify an
access list entry via SNMP protocol ? Or is this not possible, because
it must be saved in flash memory after modification ?

Thanks

Chris

 

:Can anybody tell me, if it is possible to create, delete or modify an
:access list entry via SNMP protocol ? Or is this not possible, because
:it must be saved in flash memory after modification ?

The MIBS that I have been able to find that allow access to ACLs
at any level, are:

CISCO-CATOS-ACL-QOS-MIB-V1SMI
CISCO-GPRS-ACC-PT-MIB-V1SMI
CISCO-IPSEC-POLICY-MAP-MIB-V1SMI
CISCO-ITP-ACL-MIB-V1SMI
CISCO-QOS-PIB-MIB-V1SMI
CISCO-SP-MIB-V1SMI


If I read the MIB properly, parts of CISCO-CATOS-ACL-QOS-MIB-V1SMI
are read-write in ways that would allow you to modify ACLs under
CatOS. CISCO-CATOS-ACL-QOS-MIB-V1SMI is -mostly- about QoS but
also handles security entries. You just have the small problem
that 1) It's CatOS not IOS, and 2) On many devices, CatOS only
controls layer 2 actions, making it useless to put in a layer 3/4 ACL.

Creation/ modification of ACLs is outside the scope of
CISCO-GPRS-ACC-PT-MIB-V1SMI (you can only get at ACL #'s)
CISCO-IPSEC-POLICY-MAP-MIB-V1SMI (you can read some ACL entries)
CISCO-QOS-PIB-MIB-V1SMI (read-only)

CISCO-ITP-ACL-MIB-V1SMI appears to allow you to modify ACLs, but
only applies to Cisco IP Transfer Point for SS7 signalling. Similarily,
CISCO-SP-MIB-V1SMI is for Signaling Point for SS7.


Other than that, your option is to create an ACL (or ACL removal or
modification commands) in a text file on a tftp server, and use snmpset
to tell the device to copy the file into the running config, thus
effecting the change in ACL.