Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

removed ip access-list & lost network connectivity

An access-list was removed to edit and replace. Once the access-list was removed we lost network connectivity to the remote router. This list is an extensive one. But when we remove on other remote routers network connectivity remained. Can anyone tell me why? Is this a typical of access-list, and good practice is to wait until after business hours?

7 REPLIES
Purple

Re: removed ip access-list & lost network connectivity

When configuring or re-configuring ACLs lists, it is a good idea to remove the 'ip access-group' statement from the interface first. When you remove all the actual 'access-list' statements for an ACL and the 'access-group' command remains, what happens is that the router will deny all packets through that ACL. That's why you should always remove the access-group first.

Hope that helps - pls rate the post if it does.

Paresh

Hall of Fame Super Silver

Re: removed ip access-list & lost network connectivity

Perhaps a refinement of this answer is in order. If you remove the access list and leave the access-group, the router will permit all traffic. The router treats a null access list as if there were a permit any. (It is very old versions of IOS that would still enforce the implicit deny any at the end of the list.) The danger is when you start to rebuild the access list. As soon as the access list has at least one statement it will have the deny any at the end.

The advice to remove the access-group, delete the access list, rebuild the access list, replace the access-group is good advice.

HTH

Rick

Purple

Re: removed ip access-list & lost network connectivity

Thanks for the clarification, Rick. My post did not come out the way I would have liked :-(

Paresh

Hall of Fame Super Silver

Re: removed ip access-list & lost network connectivity

No problem.

I am sure that we have all had experiences of looking at things we have written, or questions answered, and realized that what we wrote was not quite what we were thinking as we created it.

Your main point is well taken that it is good practice to remove the access-group before removing and changing the content of access lists.

Sometimes I take a slightly different approach: I will build a new version of the access list using a different number (if I am changing access list 101, I may create list 102) which is the modified version of the list. I then change the access-group to reference the new version of the list. This may have a couple of advantages including the fact that the interface is always protected by some access list. Also it makes backing out changes easier if we discover that there was some flaw in our list modification.

HTH

Rick

Purple

Re: removed ip access-list & lost network connectivity

Hey Rick,

Your second approach does seem like a good way of doing things. I might have to adopt it myself !

Cheers,

Paresh

Purple

Re: removed ip access-list & lost network connectivity

One way around this on any newer boxes running 12.X code always use "named" access list . This allows you to add and remove things without stripping the acl off to modify . 12.2T and above allows you to add and delete statements and insert them anywhere you want in the list without removing .

New Member

Re: removed ip access-list & lost network connectivity

If you make a update file on your tftp server.

Then load this file from the command line with the copy tftp running-config command to your router this problem is avoided.

just make sure u don't make any typo's locking out your own managment session.

Is you want to be really really sure first remove the access-list from the interfaces its applied óm, like stated earlyer.

Make it like this:

no acess-list xxx

!

access-list xxxx

133
Views
8
Helpful
7
Replies