[c-nsp] Modifying ACLs on production router

[Lincoln Dale]

Steve,

Steven Mark wrote:
> Does anyone know if modifying ACLs (RACL/VACL) that are applied to an interface will cause any traffic disruption?
>   
it depends on the Cisco platform and the type of ACL (named/numbered).

generally speaking, for "named ACLs", you make changes to them as you 
wish, and when you 'exit' out of the ACL submode for a named ACL, it 
gets applied in one hit.

the differences in platforms may also cause differences here - 
particularly if they are h/w based forwarding platforms.
for example, NX-OS on N7K by default does "atomic ACL commits", that is, 
an ACL is applied atomically all at once.  there is no 'in between' time 
between the old ACL being in place & the new one being applied.  not all 
platforms can perform atomic ACLs.

some platforms also have a tunable knob for what the default behavior 
should be while ACL programming is taking place.  should it be 'permit' 
or 'deny'?  you decide.

some platforms also have the ability to do a 'dry run' or 'verify' that 
an ACL is possible (h/w table space exists, TCAM resources exist etc, 
then 'commit' that ACL in one hit.

finally, if we were looking at what may constitute "best practice", i 
think its always advisable to NOT be applying an ACL on the same inband 
interface that you may be using to manage the box.  out-of-band or 
side-band mgmt paths are advisable here. :)


so .. the short answer is "it depends".  if you can be more specific on 
the platform / router / swtich model, a more specific answer can be 
given. :)

> On a different note, does using lock-and-key ACL cause the packet to be sent to software instead of it being completely switched in hardware?
>   
not sure what you mean by "lock and key".  can you elaborate?




cheers,

lincoln.