08-08-2007 05:56 AM - edited 03-03-2019 06:14 PM
If an empty ACL (ie. consisting of no statements at all) is applied to an interface via :-
ip access-group acl-number { in | out }
what happens to traffic on the interface ? Will all traffic be permitted or all blocked ? I have read it is permitted, but as an ACL always has an implicit deny all statement at the end, the empty ACL should deny all traffic ?
Solved! Go to Solution.
08-08-2007 06:03 AM
Ross
The statement that an ACL always has an implicit deny any at the bottom has one exception. And that exception is when the ACL is empty. If you use ip access-group to apply an ACL and that ACL has no statements then all traffic is permitted.
There are some very old versions of IOS where this was not the case and applying the empty ACL would deny traffic. But they are VERY old. It has been the behavior of IOS for a long time to permit traffic when there is an empty ACL.
One place that this may come into play is if you are going to do maintenance on an ACL. If there is an existing ACL which is applied to an interface and you delete the ACL then all traffic through the interface will be permitted. But as soon as there is a single line in the ACL there is the implicit deny any and traffic will be blocked.
HTH
Rick
08-08-2007 06:03 AM
Ross
The statement that an ACL always has an implicit deny any at the bottom has one exception. And that exception is when the ACL is empty. If you use ip access-group to apply an ACL and that ACL has no statements then all traffic is permitted.
There are some very old versions of IOS where this was not the case and applying the empty ACL would deny traffic. But they are VERY old. It has been the behavior of IOS for a long time to permit traffic when there is an empty ACL.
One place that this may come into play is if you are going to do maintenance on an ACL. If there is an existing ACL which is applied to an interface and you delete the ACL then all traffic through the interface will be permitted. But as soon as there is a single line in the ACL there is the implicit deny any and traffic will be blocked.
HTH
Rick
08-08-2007 06:28 AM
I would just add one thing to Rick's post. It's always better to remove the ACL from the interface to avoid any unexpected problems before the actual ACL itself is removed for any modification.
If the access list is still applied on the interface but the corresponding ACL doesn't exist in the global config mode all traffic would be permitted but this can really pose some serious problems, like router hanging/crashing, if there is heavy volume of traffic passing through that interface. This would also avoid another problem that Rick mentioned when you start putting the ACL back on after the first line is entered the implicit deny will kick in and it can lock you out of the box if you are telneted in through that interface.
HTH
Sundar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide