[c-nsp] Modifying ACLs on production router

Ed Ravin eravin at panix.com
Sun Oct 5 08:21:40 EDT 2008


On Sun, Oct 05, 2008 at 04:03:55AM -0700, Steven Mark wrote:
> Does anyone know if modifying ACLs (RACL/VACL) that are applied
> to an interface will cause any traffic disruption?

Depends on how you do it and what you call "traffic disruption".

If you append to the ACL while it is still applied to an interface,
then that might not disrupt anything.  If you delete the ACL and then
begin adding statements back in one by one while it is still applied
to the interface, then you may have periods of too much or too little
traffic being passed across the interface until the ACL is complete.
If the ACL affects the interface that you're managing the router from,
you might find yourself locked out of the router when the partial ACL
blocks more traffic than you want.

My "aclmaker" script, which lets you manage Cisco ACLS by editing local
files on a Unix system, automatically updates ACLs for you with the
minimum disruption.  Requires Unix/Linux, Perl, and a couple of Perl
modules:

  http://www.panix.com/~eravin/aclmaker-1.04rc1

aclmaker updates an ACL by first uploading the new ACL into the router
with a "test-xxxx" name.  If the router doesn't complain about syntax
problems, the script then removes the original ACL from any interfaces
it is applied to and applies the test ACL.  Then the script deletes the
original ACL and uploads the new ACL with the original name, and then it
removes the test-xxxx ACL from the interface(s) and applies the original ACL.

This leaves two short windows when the interface has no ACL applied, but
since the script is doing all the work automatically those windows are
as brief as possible.

	-- Ed


More information about the cisco-nsp mailing list