Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2520
Views
0
Helpful
3
Replies

Removing an ACL before removing it from the Interface

alexmontis
Level 1
Level 1

‎01-25-2012 12:56 PM

I always understood that you never leave an interface exposed. If you want to modify an ACL on an interface you create a new one and then apply it to the interface before deleting the old ACL. This also protects you from disabling the interface in case you deleted the ACL and essentially left an explicit deny deny behind.

Is this correct? I ask this because I'm taking a Master’s Degree class in Network Security. In my class, they remove the ACL from the configuration and then move to the interface and remove it from that configuration. It would seem to me that if I was connecting to the site through that interface and removed the ACL then I would lock myself out immediately. I believe I knew this to be true but cannot reproduce the effect.

Does anyone know where I can find a document that proves or disproves my opinion? It may be that the modern day IOS now is smart enough to know not to leave an explicit deny deny once the ACL is removed. I even tried taking an interface and applying an ACL (that doesn't exist) and seeing if it created an invisible effect of the explicit deny deny but could not reproduce it. I asked the professor but he simply responded "hundreds of students completed the lab without issue" which didn't address my concern. Our lab is based on a console connection and we don’t always have out-of-band management of the devices we reach remotely. It may be something I will find later today under a best practice guide.

Any pointers would be great.

Labels:
0 Helpful
3 Replies 3

Gerald Burgess
Cisco Employee
Cisco Employee

‎01-25-2012 02:12 PM

Hi Alex,

I'm not sure this is the correct forum for the question you've asked.

Perhaps the Other Security Subjects forum would get you the information you need.

This forum talks about IP Cameras, Physical Access Control, and the IP Interoperability and Collaboration System.

0 Helpful

integreon
Level 1
Level 1

‎01-30-2012 07:27 PM

Alex,

It depends on the device and interface security level. Are you talking about ASA?

Sent from Cisco Technical Support iPad App

0 Helpful

mcardinal
Level 1
Level 1

‎10-07-2024 12:13 PM

As soon as the ACL is removed from the configuration, i.e. no ip access-list standard ... then all filtering that was applied because of the filter is stopped. It does not make a difference if you remove it from the interface first - the results are the same.

HTH someone!

0 Helpful
Customers Also Viewed These Support Documents