I need to reconfigure the ACL that controls inbound SSH on the vty of Cisco devices. If I write an NCM script to delete the entire ACL, will it kill the NCM's SSH session to the Cisco device? If so, can this be done with the NCM script using TFTP?

EXISTING Nexis Switch CONFIG:

line vty 0 4

access-group 57 in

!

ip access-list 57

10 permit tcp 10.10.10.10 eq any eq 22

20 permit tcp 10.20.20.20 eq any eq 22

etc, etc,

!

Question about the NCM script is:  Can I write this way " no ip access-list 57" and then rewrite the ACL with all new IP addresses?

Or will that kill the NCM's SSH session to the Cisco switch?  If it will kill the SSH session, can NCM push the config changes via tftp instead?

If tftp is not an option, I'll just push a new ACL# with the desired config, change the access-group# under line vty, then delete ACL 57, rewrite it, and then change the vty access-group back to 57.

  • I have changed my vty ACL the way you're suggesting without any issues. However, I still get nervous about anything in a job that could potentially kill my remote logins, so I typically change it by removing the access class from my vty lines, delete then re-create the new acl, then add the access class back to the vty lines. It basically looks like this:

    line vty 0 4

    No ip access-class XXX

    exit

    no ip access-group extended XXX

    ip access-group extended XXX

    10 permit tcp 10.10.10.10 eq any eq 22

    20 permit tcp 10.20.20.20 eq any eq 22

    line vty 0 4

    ip access-class XXX