Perhaps a refinement of this answer is in order. If you remove the access list and leave the access-group, the router will permit all traffic. The router treats a null access list as if there were a permit any. (It is very old versions of IOS that would still enforce the implicit deny any at the end of the list.) The danger is when you start to rebuild the access list. As soon as the access list has at least one statement it will have the deny any at the end.

The advice to remove the access-group, delete the access list, rebuild the access list, replace the access-group is good advice.

HTH

Rick

Thanks for the clarification, Rick. My post did not come out the way I would have liked :-(

Paresh

No problem.

I am sure that we have all had experiences of looking at things we have written, or questions answered, and realized that what we wrote was not quite what we were thinking as we created it.

Your main point is well taken that it is good practice to remove the access-group before removing and changing the content of access lists.

Sometimes I take a slightly different approach: I will build a new version of the access list using a different number (if I am changing access list 101, I may create list 102) which is the modified version of the list. I then change the access-group to reference the new version of the list. This may have a couple of advantages including the fact that the interface is always protected by some access list. Also it makes backing out changes easier if we discover that there was some flaw in our list modification.

HTH

Rick

Hey Rick,

Your second approach does seem like a good way of doing things. I might have to adopt it myself !

Cheers,

Paresh

One way around this on any newer boxes running 12.X code always use "named" access list . This allows you to add and remove things without stripping the acl off to modify . 12.2T and above allows you to add and delete statements and insert them anywhere you want in the list without removing .