Can I modify an access list in the production environment (VPN)?

With many VPN tunnels in your production environment you may be asked to modify some policies. What kind of tasks you can do without impact on the business traffic and what can be performed only during a change window?

You can add a new ACE, it doesn’t terminate tunnels:

R4(config-ext-nacl)#do sh runn | s access
ip access-list extended VPN
 permit ip host 150.1.4.4 20.0.0.0 0.0.0.255
R4(config-ext-nacl)#per
R4(config-ext-nacl)#permit ip
R4(config-ext-nacl)#permit ip 150.1.4.0 0.0.0.255  20.0.0.0 0.0.0.255
R4(config-ext-nacl)#
R4(config-ext-nacl)#

As you see nothing happened, but when you remove any entry, even not related with your SA you can see:

R4(config-ext-nacl)#do  sh run | s access
ip access-list extended VPN
 permit ip 150.1.4.0 0.0.0.255 20.0.0.0 0.0.0.255
 permit ip host 150.1.4.4 20.0.0.0 0.0.0.255
R4(config-ext-nacl)#
R4(config-ext-nacl)#no  permit ip 150.1.4.0 0.0.0.255 20.0.0.0 0.0.0.255
R4(config-ext-nacl)#
*Mar 15 10:41:16.123: IKEv2:(1): Sending DEL info message
*Mar 15 10:41:16.135: IKEv2:(1): Sending DEL info message
*Mar 15 10:41:16.167: IKEv2:(1): Processing ACK to informational exchange
*Mar 15 10:41:16.203: IKEv2:(1): Processing ACK to informational exchange
R4(config-ext-nacl)#
*Mar 15 10:41:18.691: IKEv2:(1): Processing initial message
*Mar 15 10:41:18.763: IKEv2:(1): Sending initial message
*Mar 15 10:41:18.899: IKEv2:(1): Recieved valid parameteres in process id
*Mar 15 10:41:18.923: IKEv2:(1): Processing auth message
*Mar 15 10:41:18.935: IKEv2:(1): Sending auth message
*Mar 15 10:41:18.947: IKEv2:(1): SA created; inserting SA into database
R4(config-ext-nacl)#

In this case our SA has been re-created once again. I strongly recommend to perform changes only during the change window but sometimes you may have an urgent request and it’s good to know which commands have impact on the active tunnels.