Best practice when deleting/replacing an access-control list

Answered Question
Sep 10th, 2009
User Badges:

Hi there, just wanted to confirm this:

If one needs to remove an ACL (because the sequence needs to be reorganized and some IP entries removed and others added) do you agree that the best practice would be to go to the respective interface where the ACL is applied and do 'no access-group ACL in|out' first. I mean, if I just delete the ACL and in case my IP address is part of that applied ACL, one could get locked, correct?


I have analyzed the respective ACL to see if my workstation IP is listed there, but I just want to confirm if my approach to stop the ACL from being applied first under the interface is a good idea.

Correct Answer by Richard Burts about 7 years 8 months ago

Marlon


Your idea of removing the ip access-group on the interface that assigns the access list will work - and is better than just deleting and re-building the access list. But if you are looking for ideas of Best Practices then I have a different suggestion for you:

- leave the existing access list (and access-group) in place.

- make a copy of the access list in a text file.

- in the text file change the number (or name) of the access list.

- in the text file reorganize the sequence of the access list.

- change the access-group on the interface to point to the new version of the access list.

- after you are confident that the new access list is working as expected then you can remove the old access list.


This approach has several advantages including:

- with your approach there is a period of time when the interface is unprotected. With my suggestion there is always an active access list protecting the interface.

- if there is some problem with the new access list my suggestion gives you an easy way to go back to the old/working version of the access list.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jerry Ye Thu, 09/10/2009 - 08:30
User Badges:
  • Cisco Employee,

Your approach is correct. Just deleting the ACL without removing it off the interface is a bad idea. Like you said it can actually block traffic and even your telnet section.


HTH,

jerry

Correct Answer
Richard Burts Thu, 09/10/2009 - 09:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Marlon


Your idea of removing the ip access-group on the interface that assigns the access list will work - and is better than just deleting and re-building the access list. But if you are looking for ideas of Best Practices then I have a different suggestion for you:

- leave the existing access list (and access-group) in place.

- make a copy of the access list in a text file.

- in the text file change the number (or name) of the access list.

- in the text file reorganize the sequence of the access list.

- change the access-group on the interface to point to the new version of the access list.

- after you are confident that the new access list is working as expected then you can remove the old access list.


This approach has several advantages including:

- with your approach there is a period of time when the interface is unprotected. With my suggestion there is always an active access list protecting the interface.

- if there is some problem with the new access list my suggestion gives you an easy way to go back to the old/working version of the access list.


HTH


Rick

glen.grant Thu, 09/10/2009 - 11:11
User Badges:
  • Purple, 4500 points or more

If its not a lot entries you can just get into ACL config mode and remove and resequence them there . If its a lot entries then its just easier to modify it in a wordpad and reapply it.

Leo Laohoo Thu, 09/10/2009 - 15:11
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

If you are using extended ACL, you can delete and/or add a sequence only.

Actions

This Discussion