SmartSwitch Router User Reference Manual 175Chapter 10: Security Configuration Guidecreating additional delay. Therefore, one should consider the potential performanceimpact before turning on ACL Logging.Maintaining ACLs Offline Using TFTP or RCPThe SSR provides two mechanisms to maintain and manipulate ACLs. The traditionalmethod used by some of the other popular routers require the use of TFTP or RCP. Withthis mechanism, the administrator is encouraged to create and modify ACLs on a remotehost. The administrator can use his or her favorite editor to edit, delete, replace or reorderACL rules in a file. Once the changes are made, the administrator can then download theACLs to the router using TFTP or RCP and make them take effect on the running system.The following example describes how one can use TFTP to help maintain ACLs on theSSR. Suppose the following ACL commands are stored in a file on some hosts:The first command, no acl *, negates all commands that start with the keyword, “acl”.This tells the router to remove the application and the definition of any ACL. Theadministrator can be more selective if he or she wants to remove only ACL commandsrelated to, for instance, ACL 101 by saying, no acl 101 *. The negation of all relatedACL commands is important because it removes any potential confusion caused by theaddition of new ACL rules to existing rules. Basically, the no acl command cleans up thesystem for the new ACL rules.Once the negation command is executed, the second and the third commands proceed toredefine ACL 101. The final command applies the ACL to interface ssr12.If the changes are accessible from a TFTP server, one can download and make the changestake effect by issuing commands like the following:The first copy command downloads the file acl.changes from a TFTP server and puts thecommands into the temporary configuration area, scratchpad. The administrator can re-examine the changes if necessary before committing the changes to the running system.The second copy command make the changes take effect by copying from the scratchpadto the active running system.If the administrator needs to re-order or modify the ACL rules, one must make thechanges in the acl.changes file on the remote host, download the changes and make themeffective again.no acl *acl 101 deny tcp 10.11.0.0/16 10.12.0.0/16acl 101 permit tcp 10.11.0.0 anyacl 101 apply interface ssr12 inputcopy tftp://10.1.1.12/config/acl.changes to scratchpadcopy scratchpad to active