On Sun, Oct 05, 2008 at 04:03:55AM -0700, Steven Mark wrote: > Does anyone know if modifying ACLs (RACL/VACL) that are applied > to an interface will cause any traffic disruption?
Depends on how you do it and what you call "traffic disruption". If you append to the ACL while it is still applied to an interface, then that might not disrupt anything. If you delete the ACL and then begin adding statements back in one by one while it is still applied to the interface, then you may have periods of too much or too little traffic being passed across the interface until the ACL is complete. If the ACL affects the interface that you're managing the router from, you might find yourself locked out of the router when the partial ACL blocks more traffic than you want. My "aclmaker" script, which lets you manage Cisco ACLS by editing local files on a Unix system, automatically updates ACLs for you with the minimum disruption. Requires Unix/Linux, Perl, and a couple of Perl modules: http://www.panix.com/~eravin/aclmaker-1.04rc1 aclmaker updates an ACL by first uploading the new ACL into the router with a "test-xxxx" name. If the router doesn't complain about syntax problems, the script then removes the original ACL from any interfaces it is applied to and applies the test ACL. Then the script deletes the original ACL and uploads the new ACL with the original name, and then it removes the test-xxxx ACL from the interface(s) and applies the original ACL. This leaves two short windows when the interface has no ACL applied, but since the script is doing all the work automatically those windows are as brief as possible. -- Ed _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/