Educause Security Discussion mailing list archives

Re: Network Access Control Changes - Firewall and ACL policy changes

From: Mike Iglesias <iglesias () UCI EDU>
Date: Mon, 4 Jun 2007 13:16:43 -0700

Luke Sheppard wrote:

I have found that the Cisco FWSM needs a manual shutdown/no-shut of the
interface if making acl changes via the command-line IOS. But if you use
the web browser GUI you can add interstitial acl changes on-the-fly with no
down time. This is very convenient for quick one-off changes, but
irritating if you are used to scripting everything.


What version of the FWSM software are you using?  We're using 2.3, and have
not seen problems like this.  One of our ACLs is about 2300 lines long.  We
don't see any traffic passing issues, but the load on the FWSM jumps up to
over 95% for a second or two as it compiles the ACL.


--
Mike Iglesias                          Email:       iglesias () uci edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

Current thread:

Re: Network Access Control Changes - Firewall and ACL policy changes Luke Sheppard (Jun 04)
- <Possible follow-ups>
- Re: Network Access Control Changes - Firewall and ACL policy changes David LaPorte (Jun 04)
- Re: Network Access Control Changes - Firewall and ACL policy changes Mike Iglesias (Jun 04)
- Re: Network Access Control Changes - Firewall and ACL policy changes Paul Keser (Jun 05)
- Re: Network Access Control Changes - Firewall and ACL policy changes Michael Hornung (Jun 05)
- Re: Network Access Control Changes - Firewall and ACL policy changes Greg T. Grimes (Jun 06)