Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Removing an ACL before removing it from the Interface

I always understood that you never leave an interface exposed. If you want to modify an ACL on an interface you create a new one and then apply it to the interface before deleting the old ACL. This also protects you from disabling the interface in case you deleted the ACL and essentially left an explicit deny deny behind.

Is this correct? I ask this because I'm taking a Master’s Degree class in Network Security. In my class, they remove the ACL from the configuration and then move to the interface and remove it from that configuration. It would seem to me that if I was connecting to the site through that interface and removed the ACL then I would lock myself out immediately. I believe I knew this to be true but cannot reproduce the effect.

Does anyone know where I can find a document that proves or disproves my opinion? It may be that the modern day IOS now is smart enough to know not to leave an explicit deny deny once the ACL is removed. I even tried taking an interface and applying an ACL (that doesn't exist) and seeing if it created an invisible effect of the explicit deny deny but could not reproduce it. I asked the professor but he simply responded "hundreds of students completed the lab without issue" which didn't address my concern. Our lab is based on a console connection and we don’t always have out-of-band management of the devices we reach remotely. It may be something I will find later today under a best practice guide.

Any pointers would be great.

  • Physical Security
2 REPLIES
Cisco Employee

Removing an ACL before removing it from the Interface

Hi Alex,

I'm not sure this is the correct forum for the question you've asked.

Perhaps the Other Security Subjects forum would get you the information you need.

This forum talks about IP Cameras, Physical Access Control, and the IP Interoperability and Collaboration System.

New Member

Re: Removing an ACL before removing it from the Interface

Alex,

It depends on the device and interface security level. Are you talking about ASA?

Sent from Cisco Technical Support iPad App

905
Views
0
Helpful
2
Replies