Re: access-list on cisco routers

Sat, 3 Jul 1999 02:13:35 -0700 

There is a simple trick to allow updates of ACL in what I believe
a safe way. It relies on using TWO ACL 

1) starting with:
        interface serial 0
        ip access-group 100 in

2) download by telnet or TFTP (BTW, support of SSH is coming real soon now)
        no access-list 101
        access-list 101 permit ip ....
        ....
        access-list 101 permit ip ...

3) change the ACL applied to the interface
        interface serial 0
        ip access-group 101 in
        
AFAIK (and even if I'm working for Cisco, I'm speaking only for me), there
is no exposure in this case.

Just my 0.01 EUR

-eric

At 23:05 02/07/1999 -0400, Chris Brenton wrote:
>[EMAIL PROTECTED] wrote:
>> 
>> I don't agree with you.  I have evidence (already posted) that none of the
>> changes in a tftp-transferred take effect until they all take effect.
>
>Hummm, so something in the router goes "poof" and the old access list is
>removed and all new access list commands are enabled in exactly the same
>microsecond??? ;)
>
>My point is that even with TFTP the commands have to be parsed and then
>processed in order. This is where the delay comes in. Again, compare the
>delay to a Telnet session "paste" and the difference is negligible.
>
>> If the config update is not simultaneous, as soon as the router activates the
>> second command the tftp session will die. 
>
>No, the file is downloaded in its entirety, then parsed, then processed
>in order. TFTP will not die because rules are applied _after_ the router
>has the full file. It has nothing to do with some Cisco magick which
>allows all the old rules to be removed and all new rules to be enabled
>in a single clock cycle.
>
>Cheers,
>Chris
>-- 
>**************************************
>[EMAIL PROTECTED]
>
>* Multiprotocol Network Design & Troubleshooting
>http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
>* Mastering Network Security
>http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]

Eric Vyncke                        
Consulting Engineer                Cisco Systems EMEA
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: [EMAIL PROTECTED]          Mobile: +32-75-312.458
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to