[f-nsp] Fwd: FastIron ACL sequencing

Scott T. Cameron routehero at gmail.com
Mon Sep 12 12:02:38 EDT 2011


I'm not following you when you say "implicit deny".  If you remove the
actual line where you apply the ACL to an interface, it will permit all
traffic.  Then you can go make changes to the ACL and re-apply.

In the worst case, you might have unintentional traffic pass for a couple of
seconds.

If you really want to have the least window possible, use a different ACL ID
and switch.

Scott

---------- Forwarded message ----------
From: Randy McAnally <rsm at fast-serv.com>
Date: Mon, Sep 12, 2011 at 11:58 AM
Subject: Re: [f-nsp] FastIron ACL sequencing
To: "Scott T. Cameron" <routehero at gmail.com>, foundry-nsp at puck.nether.net


 I already do this.  But with implicit deny there is a brief interruption of
traffic.  Is there a way to avoid this?

~Randy

*On Mon, 12 Sep 2011 11:45:59 -0400, Scott T. Cameron wrote*
> Remove the ACL, make your changes, re-apply the ACL.
>
> On Mon, Sep 12, 2011 at 11:42 AM, Randy McAnally <rsm at fast-serv.com>wrote:
>
>
> Looks like my FESX doesn't support ACL sequencing (like a stone-age Cisco)
> so
> > I'm open for ideas on how to accomplish basic adds to a deny list and
> moving
> > 'allow ip any any' to the end without interrupting traffic.
> >
> > ~Randy
> >
> > _______________________________________________
> > foundry-nsp mailing list
> > foundry-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/foundry-nsp
> >




~Randy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20110912/212d3ebb/attachment.html>


More information about the foundry-nsp mailing list