Best practice when deleting/replacing an access-control list

Answered Question
Sep 10th, 2009

Hi there, just wanted to confirm this:

If one needs to remove an ACL (because the sequence needs to be reorganized and some IP entries removed and others added) do you agree that the best practice would be to go to the respective interface where the ACL is applied and do 'no access-group ACL in|out' first. I mean, if I just delete the ACL and in case my IP address is part of that applied ACL, one could get locked, correct?

I have analyzed the respective ACL to see if my workstation IP is listed there, but I just want to confirm if my approach to stop the ACL from being applied first under the interface is a good idea.

I have this problem too.
0 votes
Correct Answer by Richard Burts about 7 years 4 months ago

Marlon

Your idea of removing the ip access-group on the interface that assigns the access list will work - and is better than just deleting and re-building the access list. But if you are looking for ideas of Best Practices then I have a different suggestion for you:

- leave the existing access list (and access-group) in place.

- make a copy of the access list in a text file.

- in the text file change the number (or name) of the access list.

- in the text file reorganize the sequence of the access list.

- change the access-group on the interface to point to the new version of the access list.

- after you are confident that the new access list is working as expected then you can remove the old access list.

This approach has several advantages including:

- with your approach there is a period of time when the interface is unprotected. With my suggestion there is always an active access list protecting the interface.

- if there is some problem with the new access list my suggestion gives you an easy way to go back to the old/working version of the access list.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jerry Ye Thu, 09/10/2009 - 08:30

Your approach is correct. Just deleting the ACL without removing it off the interface is a bad idea. Like you said it can actually block traffic and even your telnet section.

HTH,

jerry

Correct Answer
Richard Burts Thu, 09/10/2009 - 09:35

Marlon

Your idea of removing the ip access-group on the interface that assigns the access list will work - and is better than just deleting and re-building the access list. But if you are looking for ideas of Best Practices then I have a different suggestion for you:

- leave the existing access list (and access-group) in place.

- make a copy of the access list in a text file.

- in the text file change the number (or name) of the access list.

- in the text file reorganize the sequence of the access list.

- change the access-group on the interface to point to the new version of the access list.

- after you are confident that the new access list is working as expected then you can remove the old access list.

This approach has several advantages including:

- with your approach there is a period of time when the interface is unprotected. With my suggestion there is always an active access list protecting the interface.

- if there is some problem with the new access list my suggestion gives you an easy way to go back to the old/working version of the access list.

HTH

Rick

glen.grant Thu, 09/10/2009 - 11:11

If its not a lot entries you can just get into ACL config mode and remove and resequence them there . If its a lot entries then its just easier to modify it in a wordpad and reapply it.

Leo Laohoo Thu, 09/10/2009 - 15:11

If you are using extended ACL, you can delete and/or add a sequence only.

Actions

This Discussion