[f-nsp] Fwd: FastIron ACL sequencing

Randy McAnally rsm at fast-serv.com
Mon Sep 12 12:16:55 EDT 2011


When rebuilding the ACL  especially long ones, it can take a few secondsbefore the final 'permit ip any any' entry makes it across to allow traffic.  By default fastiron ACL will deny all un-matched traffic.

With regards to switching between ACL's, I guess letting bad traffic past for a brief moment is better than denying all traffic during that time.  I was just hoping there was a better way.  Oh well.

~Randy

On Mon, 12 Sep 2011 12:02:38 -0400, Scott T. Cameron wrote
> I'm not following you when you say "implicit deny".  If you remove the actual line where you apply the ACL to an interface, it will permit all traffic.  Then you can go make changes to the ACL and re-apply.
> 
> In the worst case, you might have unintentional traffic pass for a couple of seconds.
> 
> If you really want to have the least window possible, use a different ACL ID and switch.
> 
> Scott

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20110912/3abcc88f/attachment.html>


More information about the foundry-nsp mailing list