[c-nsp] Modifying ACLs on production router
Grzegorz Janoszka
Grzegorz at Janoszka.pl
Mon Oct 6 03:28:16 EDT 2008
Justin Shore wrote:
>> The simplest thing is to prepare a file containing "no acl XXX" and
>> then redefinition of the acl, put it of tftp server and load it using:
>> copy tftp://I.P.I.P/acl running-config
>>
>> You do not need any extra tricks to do it, like temporary acl's and do
>> on.
>
> I don't believe that this is instantaneous. This still has the problem
> of blocking at least some traffic while the lines of config are loaded.
> While this may not be perceived as a big problem for some networks and
> some traffic patterns, this will kill TCP sessions when the either end
> receives a TCP reset. I suspect that it will also jack with SIP and
> MGCP sessions when an ICMP port unreachable is sent in response to
> reject RTP datagrams. That wouldn't be good.
So, configure the port not to send any icmp, not tcp rst packets and you
will not loose any connection.
--
Grzegorz Janoszka
More information about the cisco-nsp
mailing list