Re: ACL practices when modifying and applying new policies

Jason Jackal · ‎03-30-2013

Folks:

I am studying for my CCNA , and I am confused at how to manage ACL lists that are already applied to an interface.

For example: I have an ACL already applied to S0; however, I need to modify it. Cisco recommends that you disable the list first with the no ip access-group command; however, from my understanding, if I remove the list – traffic will be unfiltered. How do I modify an applied ACL and still filter traffic? Do I create another ACL to black all traffic until I modify my selected ACL?

Thank you

Phillip Wilson · ‎04-02-2013

If you don't want to remove the old one and keep it in place a good way to do this is copy the current ACL to notepad and add your additions or remove what you want and apply it as a different ACL#. Then get on the interface and apply the new ACL to it and removing the old one.

Sent from Cisco Technical Support iPhone App

Marvin Rhoads · ‎04-02-2013

Phillip's suggestion is one good way. Another is to use extended access-lsits and modify by specifiying the sequence number. See the examples here.

Bilal Nawaz · ‎04-03-2013

If you want to change an access-list that is already applied to an interface, you need to consider where to place your additions.

You can do this:
internetrouter#show access-lists
Standard IP access list 2
10 permit 172.16.1.1
20 permit 172.16.1.2
30 deny 172.16.1.0, wildcard bits 0.0.0.255

In this ACL I have permitted 172.16.1.1 and .2
However the last entry (line 30) I have denied the rest of the network. What if I wanted to add .3 and allow that??

Well if we add .3 to the bottom of the ACL then .3 would be denied by line 30.
I.e. if you do

Conf t
Ip access-list standard 2
Permit 172.16.1.3

Your ACL would look like this:

internetrouter#show access-lists
Standard IP access list 2
10 permit 172.16.1.1
20 permit 172.16.1.2
30 deny 172.16.1.0, wildcard bits 0.0.0.255
40 permit 172.16.1.3

This won't work because of the order, the network is denied by line 30 so line 40 will have no effect, hence instead you can do this:

Conf t
Ip access-list standard 2
25 Permit 172.16.1.3

Which would place this above line 30.

If we do a show access-list again:

internetrouter#show access-lists
Standard IP access list 2
10 permit 172.16.1.1
20 permit 172.16.1.2
25 permit 172.16.1.3
30 deny 172.16.1.0, wildcard bits 0.0.0.255

Now .3 will be permitted and so too .1 and 2 with the rest of the network being denied. So it's important to check traffic flows and the placement of your ACLs.

Likewise with removing ACL's with a 'no #' with the # being the line of the ACL entry.

Having ACLs on an interface is good for security but can be devastating when you are editing them in a live config if you get it wrong.

I recommend doing any changes to ACLs out of hours in an enterprise environment with a 'reload in 5' which gives me 5mins to make the change. If it goes well then I can cancel the reload and save the config. If I end up locking myself out, the router or device will reload in 5mins anyway so you can get the router back with the original config.

Or as mentioned previously, create an entire new ACL altogether with your changes, then apply that to your interface. But even then you could get the ACL wrong, hence a reload in might be useful ;-)

Hope this helps

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.