Educause Security Discussion mailing list archives

Re: Network Access Control Changes - Firewall and ACL policy changes

From: David LaPorte <david_laporte () HARVARD EDU>
Date: Mon, 4 Jun 2007 12:39:00 -0700

You should be able to get around this issue on the FWSM with the
"access-list mode manual" and "access-list commit".  This link has a bit
more info (requires a CCO login):

http://www.cisco.com/en/US/customer/docs/security/fwsm/fwsm22/configuration/guide/mngacl.html#wp1227762

Dave

Luke Sheppard wrote:

I have found that the Cisco FWSM needs a manual shutdown/no-shut of the interface if making acl changes via the 
command-line IOS. But if you use the web browser GUI you can add interstitial acl changes on-the-fly with no down 
time. This is very convenient for quick one-off changes, but irritating if you are used to scripting everything.

I have also heard, anecdotally, that the Junipers can have problems (brain dead) if the acls get too big. Sorry, I 
have to actual metrics for this.

Luke

Current thread:

Re: Network Access Control Changes - Firewall and ACL policy changes Luke Sheppard (Jun 04)
- <Possible follow-ups>
- Re: Network Access Control Changes - Firewall and ACL policy changes David LaPorte (Jun 04)
- Re: Network Access Control Changes - Firewall and ACL policy changes Mike Iglesias (Jun 04)
- Re: Network Access Control Changes - Firewall and ACL policy changes Paul Keser (Jun 05)
- Re: Network Access Control Changes - Firewall and ACL policy changes Michael Hornung (Jun 05)
- Re: Network Access Control Changes - Firewall and ACL policy changes Greg T. Grimes (Jun 06)