[c-nsp] Modifying ACLs on production router
Ed Ravin
eravin at panix.com
Sun Oct 5 14:38:26 EDT 2008
On Sun, Oct 05, 2008 at 06:24:12PM +0200, Gert Doering wrote:
> On Sun, Oct 05, 2008 at 08:21:40AM -0400, Ed Ravin wrote:
> > If the router doesn't complain about syntax
> > problems, the script then removes the original ACL from any interfaces
> > it is applied to and applies the test ACL. Then the script deletes the
> > original ACL and uploads the new ACL with the original name, and then it
> > removes the test-xxxx ACL from the interface(s) and applies the original ACL.
> >
> > This leaves two short windows when the interface has no ACL applied, but
>
> I'm wondering if there is any deeper necessity for removing the old ACL
> from the interface? In the cases that I've changed ACLs on an interface,
> I normally just configure the new ACL - and given that Cisco can only
> have one IP ACL (per direction) on each interface, this automatically
> and atomically removes the old ACL...
Hmmm. Has that always worked, even in IOS 11 and early 12.1
environments? I don't remember whether I tried that when I first
started developing aclmaker back in 2002.
-- Ed
More information about the cisco-nsp
mailing list