[c-nsp] Modifying ACLs on production router

Ed Ravin eravin at panix.com
Sun Oct 5 14:38:26 EDT 2008


On Sun, Oct 05, 2008 at 06:24:12PM +0200, Gert Doering wrote:
> On Sun, Oct 05, 2008 at 08:21:40AM -0400, Ed Ravin wrote:
> > If the router doesn't complain about syntax
> > problems, the script then removes the original ACL from any interfaces
> > it is applied to and applies the test ACL.  Then the script deletes the
> > original ACL and uploads the new ACL with the original name, and then it
> > removes the test-xxxx ACL from the interface(s) and applies the original ACL.
> > 
> > This leaves two short windows when the interface has no ACL applied, but
> 
> I'm wondering if there is any deeper necessity for removing the old ACL
> from the interface?  In the cases that I've changed ACLs on an interface,
> I normally just configure the new ACL - and given that Cisco can only
> have one IP ACL (per direction) on each interface, this automatically
> and atomically removes the old ACL...

Hmmm.  Has that always worked, even in IOS 11 and early 12.1
environments?  I don't remember whether I tried that when I first
started developing aclmaker back in 2002.

	-- Ed


More information about the cisco-nsp mailing list