[c-nsp] Modifying ACLs on production router
Lincoln Dale
ltd at cisco.com
Sun Oct 5 23:10:20 EDT 2008
Steve,
Steven Mark wrote:
> Does anyone know if modifying ACLs (RACL/VACL) that are applied to an interface will cause any traffic disruption?
>
it depends on the Cisco platform and the type of ACL (named/numbered).
generally speaking, for "named ACLs", you make changes to them as you
wish, and when you 'exit' out of the ACL submode for a named ACL, it
gets applied in one hit.
the differences in platforms may also cause differences here -
particularly if they are h/w based forwarding platforms.
for example, NX-OS on N7K by default does "atomic ACL commits", that is,
an ACL is applied atomically all at once. there is no 'in between' time
between the old ACL being in place & the new one being applied. not all
platforms can perform atomic ACLs.
some platforms also have a tunable knob for what the default behavior
should be while ACL programming is taking place. should it be 'permit'
or 'deny'? you decide.
some platforms also have the ability to do a 'dry run' or 'verify' that
an ACL is possible (h/w table space exists, TCAM resources exist etc,
then 'commit' that ACL in one hit.
finally, if we were looking at what may constitute "best practice", i
think its always advisable to NOT be applying an ACL on the same inband
interface that you may be using to manage the box. out-of-band or
side-band mgmt paths are advisable here. :)
so .. the short answer is "it depends". if you can be more specific on
the platform / router / swtich model, a more specific answer can be
given. :)
> On a different note, does using lock-and-key ACL cause the packet to be sent to software instead of it being completely switched in hardware?
>
not sure what you mean by "lock and key". can you elaborate?
cheers,
lincoln.
More information about the cisco-nsp
mailing list