From: Marvin Greenlee (marvin@ipexpert.com)
Date: Tue Mar 20 2007 - 17:19:49 ART
Did you try looking at the command reference for the switch?
"...
access-list hardware program nonblocking
Use the access-list hardware program nonblocking global configuration
command to cause the system to continue to forward frames even while a new
security access-control list (ACL) configuration is being programmed into
the hardware. Use the no form of this command to return to the default
behavior, where traffic is blocked on affected interfaces when changes are
made to the security ACL configuration while the hardware is updated with
the new configuration.
access-list hardware program nonblocking
no access-list hardware program nonblocking
mls aclmerge delay
Use the mls aclmerge delay global configuration command to adjust the time
required for access control list (ACL) configuration to be stable before the
system performs ACL merges and ternary content addressable memory (TCAM)
updates. Use the no form of this command to return to the default setting.
Because ACL merges take a significant amount of time, if the configuration
of security ACLs on the system is changing rapidly, the software postpones
ACL merges and TCAM updates until the configuration is no longer changing.
By default, if a new security ACL-related configuration change is made
within 3000 milliseconds of a previous change, the merge is postponed.
ACL-related configuration changes include applying ACLs to interfaces or
making changes to ACLs or VLAN maps that are already applied to interfaces.
All postponed merges and TCAM updates are performed by a background process
after the configuration has been stable for 3000 milliseconds. A
configuration is stable if no changes are being made that affect information
stored in the TCAM.
Entering the mls aclmerge delay command allows the merge delay to be
adjusted to less than 3 seconds. Setting the delay to 0 causes all merges to
be performed immediately as the configuration is changed.
New settings affect all ACL configuration changes made after the command is
entered. If the configuration is saved to the startup configuration file,
when the switch boots up, the merge settings do not take affect until after
the complete saved configuration file is read. This allows initial
configuration to proceed efficiently.
..."
Cisco - IOS command reference - 3550
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/cr/cli1.h
tm#wp2112883
Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
Senior Technical Instructor - IPexpert, Inc.
"When Will You Be an IP Expert?"
marvin@ipexpert.com
http://www.IPexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Filyurin, Yan
Sent: Tuesday, March 20, 2007 11:48 AM
To: ccielab@groupstudy.com
Subject: Question on access list maintenance
I ran into a task in one of the vendor workbooks and could not find a
solution anywhere on the DocCD. Is it true that when changes are made
on switch port ACLs, traffic would be blocked, while the list is
modified and is there any way to prevent it?
Thank you.
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:52 ART