Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Best Practice - Removing Old Access-Control Lists from Bug Mitigations

I was just auditing my Internet router configuration against the NSA Router Security Configuration Guide and came across the old entries below.

access-list 100 deny   53 any any
access-list 100 deny   55 any any
access-list 100 deny   77 any any
access-list 100 deny   pim any any

I remember applying them in the dim dark past and tracked it down to this advisory "Cisco IOS Interface Blocked by IPv4 Packets".

Clearly they've just been propagated when then router and IOS get upgraded.

My question is should we remove all the old workarounds, and how often do people audit their configs?

Anything after 12.3 is not vulnerable, so it could safely be removed, but then it doesn't really hurt to leave them since we aren't expecting any of those protocols to be coming from the internet.  There is always the possibility that someone will just copy it to a router with an older vulnerable IOS.

Obviously there will be a small amount of additional processing overhead on the acl too.

All comments are welcome.

Everyone's tags (1)
Cisco Employee

Re: Best Practice - Removing Old Access-Control Lists from Bug M

I would not worry about processing. As long as you have an ACL applied, 2-3 lines more do not practically cause any extra overhead.

You can keep the deny lines there and they will not hurt.

As for how often people audit configs it depends on the policies. I have seen 6 months as the most common time frame.

I hope it helps.


CreatePlease login to create content