Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14136
Views
50
Helpful
2
Replies

Apply Empty ACL - What Happens ?

Go to solution
rossua994
Level 1
Level 1

‎08-08-2007 05:56 AM - edited ‎03-03-2019 06:14 PM

If an empty ACL (ie. consisting of no statements at all) is applied to an interface via :-

ip access-group acl-number { in | out }

what happens to traffic on the interface ? Will all traffic be permitted or all blocked ? I have read it is permitted, but as an ACL always has an implicit deny all statement at the end, the empty ACL should deny all traffic ?

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎08-08-2007 06:03 AM

Ross

The statement that an ACL always has an implicit deny any at the bottom has one exception. And that exception is when the ACL is empty. If you use ip access-group to apply an ACL and that ACL has no statements then all traffic is permitted.

There are some very old versions of IOS where this was not the case and applying the empty ACL would deny traffic. But they are VERY old. It has been the behavior of IOS for a long time to permit traffic when there is an empty ACL.

One place that this may come into play is if you are going to do maintenance on an ACL. If there is an existing ACL which is applied to an interface and you delete the ACL then all traffic through the interface will be permitted. But as soon as there is a single line in the ACL there is the implicit deny any and traffic will be blocked.

HTH

Rick

HTH

Rick

View solution in original post

2 Replies 2

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎08-08-2007 06:03 AM

Ross

The statement that an ACL always has an implicit deny any at the bottom has one exception. And that exception is when the ACL is empty. If you use ip access-group to apply an ACL and that ACL has no statements then all traffic is permitted.

There are some very old versions of IOS where this was not the case and applying the empty ACL would deny traffic. But they are VERY old. It has been the behavior of IOS for a long time to permit traffic when there is an empty ACL.

One place that this may come into play is if you are going to do maintenance on an ACL. If there is an existing ACL which is applied to an interface and you delete the ACL then all traffic through the interface will be permitted. But as soon as there is a single line in the ACL there is the implicit deny any and traffic will be blocked.

HTH

Rick

HTH

Rick

Go to solution
sundar.palaniappan
Level 10
Level 10
In response to Richard Burts

‎08-08-2007 06:28 AM

I would just add one thing to Rick's post. It's always better to remove the ACL from the interface to avoid any unexpected problems before the actual ACL itself is removed for any modification.

If the access list is still applied on the interface but the corresponding ACL doesn't exist in the global config mode all traffic would be permitted but this can really pose some serious problems, like router hanging/crashing, if there is heavy volume of traffic passing through that interface. This would also avoid another problem that Rick mentioned when you start putting the ACL back on after the first line is entered the implicit deny will kick in and it can lock you out of the box if you are telneted in through that interface.

HTH

Sundar

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card