[c-nsp] Modifying ACLs on production router
Justin Shore
justin at justinshore.com
Sun Oct 5 23:42:31 EDT 2008
Grzegorz Janoszka wrote:
> Matlock, Kenneth L wrote:
>> So from then on, I've always removed the ACL from the interface,
>> removed the ACL, rebuilt it, and re-applied it to the interface. If
>> you have the lines copied into a clipboard, you can paste the stuff in
>> fairly quickly, and not really allow much 'bad' traffic in.
>
> The simplest thing is to prepare a file containing "no acl XXX" and then
> redefinition of the acl, put it of tftp server and load it using:
> copy tftp://I.P.I.P/acl running-config
>
> You do not need any extra tricks to do it, like temporary acl's and do on.
I don't believe that this is instantaneous. This still has the problem
of blocking at least some traffic while the lines of config are loaded.
While this may not be perceived as a big problem for some networks and
some traffic patterns, this will kill TCP sessions when the either end
receives a TCP reset. I suspect that it will also jack with SIP and
MGCP sessions when an ICMP port unreachable is sent in response to
reject RTP datagrams. That wouldn't be good.
What's needed is to not reject any packets. The only ways I can see
that happening is to either switch ACLs or remove the ACL from interface
before you add the first line to it. That is until Cisco adds a way to
let us make ACL changes and control when they are committed and
compiled. It seems like I read something about something added to the
later 12.4T code to make ACL updates easier. I'll have to dig out the
release notes to read up on it.
Justin
More information about the cisco-nsp
mailing list