Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3323
Views
5
Helpful
2
Replies

When does a modified ACL take effects?

yjim0140
Level 1
Level 1

‎06-29-2004 10:55 PM - edited ‎02-20-2020 09:25 PM

Let me ask a simple question regarding ACL feature.

For instance, let me assume that ACL 100 was defined and applied to intf_A and intf_B. Later if the ACL 100 is modified, I'm wondering that it will be applied to Intf_A and Intf_B dynamically. Otherwise, do I have to reapply it to both interfaces, meaning

"no ip access-group 100 in" and "ip access-group 100 in" for Intf_A and Intf_B.

My understanding has been that the ACL that was defined and applied should be re-applied so that the modified ACL take effects. However, I have been told that in recent high-end Cisco Router an ACL is applied as soon as it is modified.

Any response will be greatly appreciated.

Yongjun.

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎06-30-2004 04:49 AM

In all cisco routers (not just high end) the modified access list takes effect immediately. It is not necessary to remove and reapply the access list to implement the changes.

Having said that, it is frequently good practice to remove the access list from the interface, modify the list, and apply the access list to the interface. This is not necessary to activate the changes but is to make the process less of an impact. The issue is that when you delete the access list to get ready to rebuild it, the empty list is still applied to the interface(s). This will permit everything (the default deny any does not apply to an empty list). When you add the first line in rebuilding the list the default deny any does apply. If the access list is on the interface to which you are connected and if the first line in the modified access list is not a permit for your session, you have just killed your session. Remove the list, modify the list, apply the list is the clean way to get around this issue.

HTH

Rick

HTH

Rick

r.sneekes
Level 1
Level 1
In response to Richard Burts

‎07-07-2004 01:18 PM

Or even better load a config with the

new access-list from a tftp server. Then there's no risk in killing your own session (considering the new acl is correct). Also you would not have to add or remove access-lists from the interface.

It should look like this:

no access-list 101

(deletes the old one, otherwise the new rules will only be added to the excisting acl after the deny statement, making your changes not very effective)

Then add the whole access-list including changes

access-list 101 etc...

0 Helpful
Customers Also Viewed These Support Documents