[c-nsp] Modifying ACLs on production router

Gert Doering gert at greenie.muc.de
Mon Oct 6 02:37:03 EDT 2008


Hi,

On Sun, Oct 05, 2008 at 02:38:26PM -0400, Ed Ravin wrote:
> > I'm wondering if there is any deeper necessity for removing the old ACL
> > from the interface?  In the cases that I've changed ACLs on an interface,
> > I normally just configure the new ACL - and given that Cisco can only
> > have one IP ACL (per direction) on each interface, this automatically
> > and atomically removes the old ACL...
> 
> Hmmm.  Has that always worked, even in IOS 11 and early 12.1
> environments?  I don't remember whether I tried that when I first
> started developing aclmaker back in 2002.

This is why I was asking :-)

Everywhere I can *remember* having changed ACLs "on the fly" (replace old 
ACL with new ACL in the interface config), it worked without nasty side 
effects.

OTOH, our use of ACLs on IOS 11 was quite limited, so I really can't say.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20081006/5fadd112/attachment-0001.bin>


More information about the cisco-nsp mailing list