[c-nsp] Modifying ACLs on production router

Gert Doering gert at greenie.muc.de
Sun Oct 5 12:24:12 EDT 2008


Hi,

On Sun, Oct 05, 2008 at 08:21:40AM -0400, Ed Ravin wrote:
> If the router doesn't complain about syntax
> problems, the script then removes the original ACL from any interfaces
> it is applied to and applies the test ACL.  Then the script deletes the
> original ACL and uploads the new ACL with the original name, and then it
> removes the test-xxxx ACL from the interface(s) and applies the original ACL.
> 
> This leaves two short windows when the interface has no ACL applied, but

I'm wondering if there is any deeper necessity for removing the old ACL
from the interface?  In the cases that I've changed ACLs on an interface,
I normally just configure the new ACL - and given that Cisco can only
have one IP ACL (per direction) on each interface, this automatically
and atomically removes the old ACL...

But you might have seen more pathological cases, where things fail in
interesting ways - which is why I'm curious.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081005/cfaf5ffb/attachment.bin>


More information about the cisco-nsp mailing list