[c-nsp] Modifying ACLs on production router
Gerry Boudreaux
gerry at tape.net
Sun Oct 5 23:13:10 EDT 2008
On Oct 5, 2008, at 06:03 , Steven Mark wrote:
> Does anyone know if modifying ACLs (RACL/VACL) that are applied to
> an interface will cause any traffic disruption?
My solution of choice is to leave gaps in ACL numbers, like even/odd
spacing, every 5 spacing, etc, so that if you are using ACL 100 on an
interface, then 101 is the replacement ACL.
That way you can create 101 as the replacement to 100, review it for
correctness, then go to the interface/instance where it is applied,
and simply change the ACL applied. The other advantage is that you
can easily revert to the previous (last known good, ACL) by simply re-
applying the ACL, knowing it was unchanged.
This totally avoids the implicit DENY, and any "timing" issues, as
well as never leaving you with any, even micro-second non-protected,
situations, and gives you an easy rollback position.
Then the next update simply reuses ACL 100, the one that was last
"replaced"
Just my $0.02, and I am always interested in better "best" practices!
G
More information about the cisco-nsp
mailing list