cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2387
Views
0
Helpful
5
Replies

Best practice when deleting/replacing an access-control list

news2010a
Level 3
Level 3

Hi there, just wanted to confirm this:

If one needs to remove an ACL (because the sequence needs to be reorganized and some IP entries removed and others added) do you agree that the best practice would be to go to the respective interface where the ACL is applied and do 'no access-group ACL in|out' first. I mean, if I just delete the ACL and in case my IP address is part of that applied ACL, one could get locked, correct?

I have analyzed the respective ACL to see if my workstation IP is listed there, but I just want to confirm if my approach to stop the ACL from being applied first under the interface is a good idea.

1 Accepted Solution

Accepted Solutions

Marlon

Your idea of removing the ip access-group on the interface that assigns the access list will work - and is better than just deleting and re-building the access list. But if you are looking for ideas of Best Practices then I have a different suggestion for you:

- leave the existing access list (and access-group) in place.

- make a copy of the access list in a text file.

- in the text file change the number (or name) of the access list.

- in the text file reorganize the sequence of the access list.

- change the access-group on the interface to point to the new version of the access list.

- after you are confident that the new access list is working as expected then you can remove the old access list.

This approach has several advantages including:

- with your approach there is a period of time when the interface is unprotected. With my suggestion there is always an active access list protecting the interface.

- if there is some problem with the new access list my suggestion gives you an easy way to go back to the old/working version of the access list.

HTH

Rick

HTH

Rick

View solution in original post

5 Replies 5

Jerry Ye
Cisco Employee
Cisco Employee

Your approach is correct. Just deleting the ACL without removing it off the interface is a bad idea. Like you said it can actually block traffic and even your telnet section.

HTH,

jerry

Marlon

Your idea of removing the ip access-group on the interface that assigns the access list will work - and is better than just deleting and re-building the access list. But if you are looking for ideas of Best Practices then I have a different suggestion for you:

- leave the existing access list (and access-group) in place.

- make a copy of the access list in a text file.

- in the text file change the number (or name) of the access list.

- in the text file reorganize the sequence of the access list.

- change the access-group on the interface to point to the new version of the access list.

- after you are confident that the new access list is working as expected then you can remove the old access list.

This approach has several advantages including:

- with your approach there is a period of time when the interface is unprotected. With my suggestion there is always an active access list protecting the interface.

- if there is some problem with the new access list my suggestion gives you an easy way to go back to the old/working version of the access list.

HTH

Rick

HTH

Rick

You guys are the best. Thanks!!!

glen.grant
VIP Alumni
VIP Alumni

If its not a lot entries you can just get into ACL config mode and remove and resequence them there . If its a lot entries then its just easier to modify it in a wordpad and reapply it.

Leo Laohoo
Hall of Fame
Hall of Fame

If you are using extended ACL, you can delete and/or add a sequence only.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco