Solved: ACL Application Question

Dale_Somers · ‎08-26-2021

I'm a new user of this forum studying for my CCNA.

My question is if I create an ACL and do not apply it anywhere, does it do anything. There is some discussion with the people I'm studying with about the issue and I'm being told that it may apply to the management vlan by default. Is this true?

Thanks for your patience.

David Ruess · ‎08-26-2021

Hello,

I have never heard this before. I don't believe that's true. As you can have several access-lists on a device and if that "by default" all applied to the MGMT vlan then at some point everything would be blocked. ACLs are very dynamic and diverse but they don't automatically apply themselves to ports/interfaces/vlans. And to test you can make a fake ACL and do a show run to see whats on the MGMT vlan. It will tell you if an ACL is applied.

Hope this helps.

View solution in original post

David Ruess · ‎08-26-2021

Hello,

I have never heard this before. I don't believe that's true. As you can have several access-lists on a device and if that "by default" all applied to the MGMT vlan then at some point everything would be blocked. ACLs are very dynamic and diverse but they don't automatically apply themselves to ports/interfaces/vlans. And to test you can make a fake ACL and do a show run to see whats on the MGMT vlan. It will tell you if an ACL is applied.

Hope this helps.

Dale_Somers · ‎08-26-2021

So, If I make an ACL and don't apply it anywhere, it does nothing, correct?

David Ruess · ‎08-26-2021

That is correct. There are too many variables with interfaces such as VTY lines, VLANS, switchport interfaces, IN/OUT directions, etc.. It cannot assume what your specific needs are. This is true with most switches and routers for your purpose. There may be some differences with firewalls/ASA devices that may do this (I still doubt that since the same caveats apply as stated above). But yes an ACL not applied to anything does nothing.

Richard Burts · ‎08-26-2021

@David Ruess has provided a good response. So +5. I might phrase it differently and say that an acl can be used for many purposes (perhaps used in access-group on an interface, or perhaps used in access-class on vty, or perhaps used in route map for Policy Based Routing, or perhaps for control of ntp, or perhaps to identify traffic for QOS, or perhaps to identify traffic for network translation, among the many possibilities). I would say that an acl is an object and until you define how that object is to be used it will not do anything. And I will add that this applies to ASA as well as to routers and to switches.

HTH

Rick

Joseph W. Doherty · ‎08-27-2021

"So, If I make an ACL and don't apply it anywhere, it does nothing, correct?"

Well, . . .

Actively, no, passively, yes and maybe.

"Yes" for it will take up "space" in your config(s) (running and optionally, startup).

"Maybe" for it in a running configuration, as it might also been saved in a pre-compiled or compiled state and use a tiny, tiny bit of additional CPU to be converted to that state. (I don't know, or at least recall, Cisco making public how it "saves" or processes a running config. For example, if you insert an "unused" ACL, it "saves it" as a show run will reveal, but does it also parse it and perhaps ready it, as code [at lest on a software based router], ready for use? Again, I don't know how it's processed even when not actively used by other parts of the config.)

Dale_Somers · ‎08-27-2021

Thank you both, this has cleared things up for me. I am also working with a ruckus icx series switch and would assume this also applies there, but that is a question for a different forum...

Richard Burts · ‎08-27-2021

You are welcome. I am glad that our explanations have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick