Hi there, just wanted to confirm this:
If one needs to remove an ACL (because the sequence needs to be reorganized and some IP entries removed and others added) do you agree that the best practice would be to go to the respective interface where the ACL is applied and do 'no access-group ACL in|out' first. I mean, if I just delete the ACL and in case my IP address is part of that applied ACL, one could get locked, correct?
I have analyzed the respective ACL to see if my workstation IP is listed there, but I just want to confirm if my approach to stop the ACL from being applied first under the interface is a good idea.
Your idea of removing the ip access-group on the interface that assigns the access list will work - and is better than just deleting and re-building the access list. But if you are looking for ideas of Best Practices then I have a different suggestion for you:
- leave the existing access list (and access-group) in place.
- make a copy of the access list in a text file.
- in the text file change the number (or name) of the access list.
- in the text file reorganize the sequence of the access list.
- change the access-group on the interface to point to the new version of the access list.
- after you are confident that the new access list is working as expected then you can remove the old access list.
This approach has several advantages including:
- with your approach there is a period of time when the interface is unprotected. With my suggestion there is always an active access list protecting the interface.
- if there is some problem with the new access list my suggestion gives you an easy way to go back to the old/working version of the access list.