Modifying ACL's on the CSS 11500 - need assistance

Discussion in 'Cisco' started by keithdew, Jun 5, 2007.

  1. keithdew

    keithdew Guest

    I have a need to modify an existing ACL on our CSS11500. We don't
    usually have to make modifications to the ACL's but when it's time
    there always seems to be questions on the proper method to apply the
    change. I looked on the Cisco web site for documentation on CSS ACL's
    but only found the chapter that spoke to "ACL Configuration Mode
    Commands". This was o.k. but didn't seem to lend additional insight.
    So, I wanted to clarify some things about CSS ACL's.

    For example I need to insert a new clause into an already existing and
    applied ACL. What is the Cisco recommended method of applying this
    modification? My big concern has always been applying the clause
    without any network interruptions (this is very important). I was
    wondering what are the suggested steps that offer me a (possible) non
    interruptive modification (I still perform the change during off hours
    regardless). It appears when you are adding a clause (according to
    cisco doc , the css inserts clauses in the right sequence) I may be ok
    without network interruptions. From the documentation it appears you
    go into ACL mode, add the clause, and then reapply the circuit... does
    this sound right?

    Any suggestions would be appreciated
    keithdew, Jun 5, 2007
    1. Advertisements

  2. If you are changing more than one line, then create a new
    ACL with the new contents, and then once all the entries are in,
    apply the new ACL with an access-group command. That will put all
    of the changed version in simultaneously.

    When you are changing ACLs, there is the danger of temporary
    inconsistency or temporary over-blocking or under-blocking if
    you make the changes one line at a time, because when you do that
    the changes take effect immediately, before you have time to put
    in any compensatory fix-ups. Changing from the bottom up can help
    that, but just working with a complete new access list is more
    certain. And if you have set to 'reboot in 2 minutes' (or whatever)
    then if you write the configuration just before changing the
    access-group, it will still be there ready to be fixed up after
    the access-list change accidently locks you out :-;
    I've never used the css, so I don't know what it's ACL editting is
    like. In IOS in general, you need to use a different kind of access-list
    in order to be able to do in-line edits (though they may have
    improved in more recent IOS's.)
    Walter Roberson, Jun 6, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.