Removing an ACL before removing it from the Interface
I always understood that you never leave an interface exposed. If you want to modify an ACL on an interface you create a new one and then apply it to the interface before deleting the old ACL. This also protects you from disabling the interface in case you deleted the ACL and essentially left an explicit deny deny behind.
Is this correct? I ask this because I'm taking a Master’s Degree class in Network Security. In my class, they remove the ACL from the configuration and then move to the interface and remove it from that configuration. It would seem to me that if I was connecting to the site through that interface and removed the ACL then I would lock myself out immediately. I believe I knew this to be true but cannot reproduce the effect.
Does anyone know where I can find a document that proves or disproves my opinion? It may be that the modern day IOS now is smart enough to know not to leave an explicit deny deny once the ACL is removed. I even tried taking an interface and applying an ACL (that doesn't exist) and seeing if it created an invisible effect of the explicit deny deny but could not reproduce it. I asked the professor but he simply responded "hundreds of students completed the lab without issue" which didn't address my concern. Our lab is based on a console connection and we don’t always have out-of-band management of the devices we reach remotely. It may be something I will find later today under a best practice guide.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...