Comments on: Anti-lockout best practice http://ccielab.ro/2010/07/anti-lockout-best-practice/ Cry in the Lab, Laugh in the Datacenter Mon, 12 Mar 2012 12:15:51 +0200 http://wordpress.org/?v=2.8.4 hourly 1 By: bogd http://ccielab.ro/2010/07/anti-lockout-best-practice/comment-page-1/#comment-340 bogd Mon, 12 Mar 2012 12:15:51 +0000 http://ccielab.ro/?p=130#comment-340 The "reload in" command should be a last resort - in 99% of the cases, you will not lock yourself out, so you can issue a "reload cancel". I agree that it's a completely different story when dealing with production routers serving "zounds of users", but then again... you _really_ shouldn't be making potentially disruptive changes (or any kind of changes!) on such routers outside of a maintenance window. :) And to answer the Juniper part - I really do love the "commit" feature, but... if you commit a non-working config, you're just as scre^H^H^H^H much in trouble :) . The “reload in” command should be a last resort – in 99% of the cases, you will not lock yourself out, so you can issue a “reload cancel”.

I agree that it’s a completely different story when dealing with production routers serving “zounds of users”, but then again… you _really_ shouldn’t be making potentially disruptive changes (or any kind of changes!) on such routers outside of a maintenance window. :)

And to answer the Juniper part – I really do love the “commit” feature, but… if you commit a non-working config, you’re just as scre^H^H^H^H much in trouble :) .

]]> By: Mircea http://ccielab.ro/2010/07/anti-lockout-best-practice/comment-page-1/#comment-149 Mircea Fri, 07 Oct 2011 09:06:08 +0000 http://ccielab.ro/?p=130#comment-149 Yes, it's a good idea the reload in command, but imho when you are dealing with production routers it is better to lock yourself out than having zounds of users complaining they were disconnected from their applications. In my opinion there are like 3 viable solutions: 1. be careful! 2. use a EEM applet that would issue a "no ip access-list" or reset the acl config to a template-based one, say after 10 minutes, if no "wr mem" is issued. 3. use Juniper ( :P ), that has the "commit" command PS: anyway, I'm just being picky, I actually used "reload in" many times..but never on backbone equipments Yes, it’s a good idea the reload in command, but imho when you are dealing with production routers it is better to lock yourself out than having zounds of users complaining they were disconnected from their applications.
In my opinion there are like 3 viable solutions:
1. be careful!
2. use a EEM applet that would issue a “no ip access-list” or reset the acl config to a template-based one, say after 10 minutes, if no “wr mem” is issued.
3. use Juniper ( :P ), that has the “commit” command

PS: anyway, I’m just being picky, I actually used “reload in” many times..but never on backbone equipments

]]>