From: Filyurin, Yan (yan.filyurin@eds.com)
Date: Tue Mar 20 2007 - 16:25:14 ART
Yes and the worst part, I saw that part many times and completely missed
it. This is definitely going into my notes.
-----Original Message-----
From: Marvin Greenlee [mailto:marvin@ipexpert.com]
Sent: Tuesday, March 20, 2007 3:20 PM
To: Filyurin, Yan; ccielab@groupstudy.com
Subject: RE: Question on access list maintenance
Did you try looking at the command reference for the switch?
"...
access-list hardware program nonblocking
Use the access-list hardware program nonblocking global configuration
command to cause the system to continue to forward frames even while a
new
security access-control list (ACL) configuration is being programmed
into
the hardware. Use the no form of this command to return to the default
behavior, where traffic is blocked on affected interfaces when changes
are
made to the security ACL configuration while the hardware is updated
with
the new configuration.
access-list hardware program nonblocking
no access-list hardware program nonblocking
mls aclmerge delay
Use the mls aclmerge delay global configuration command to adjust the
time
required for access control list (ACL) configuration to be stable before
the
system performs ACL merges and ternary content addressable memory (TCAM)
updates. Use the no form of this command to return to the default
setting.
Because ACL merges take a significant amount of time, if the
configuration
of security ACLs on the system is changing rapidly, the software
postpones
ACL merges and TCAM updates until the configuration is no longer
changing.
By default, if a new security ACL-related configuration change is made
within 3000 milliseconds of a previous change, the merge is postponed.
ACL-related configuration changes include applying ACLs to interfaces or
making changes to ACLs or VLAN maps that are already applied to
interfaces.
All postponed merges and TCAM updates are performed by a background
process
after the configuration has been stable for 3000 milliseconds. A
configuration is stable if no changes are being made that affect
information
stored in the TCAM.
Entering the mls aclmerge delay command allows the merge delay to be
adjusted to less than 3 seconds. Setting the delay to 0 causes all
merges to
be performed immediately as the configuration is changed.
New settings affect all ACL configuration changes made after the command
is
entered. If the configuration is saved to the startup configuration
file,
when the switch boots up, the merge settings do not take affect until
after
the complete saved configuration file is read. This allows initial
configuration to proceed efficiently.
..."
Cisco - IOS command reference - 3550
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/cr/cl
i1.h
tm#wp2112883
Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
Senior Technical Instructor - IPexpert, Inc.
"When Will You Be an IP Expert?"
marvin@ipexpert.com
http://www.IPexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Filyurin, Yan
Sent: Tuesday, March 20, 2007 11:48 AM
To: ccielab@groupstudy.com
Subject: Question on access list maintenance
I ran into a task in one of the vendor workbooks and could not find a
solution anywhere on the DocCD. Is it true that when changes are made
on switch port ACLs, traffic would be blocked, while the list is
modified and is there any way to prevent it?
Thank you.
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:52 ART