RE: Cisco acls

["Matthew.Harvey () usdoj gov" <Matthew.Harvey () usdoj gov>]

Cisco's recommendation when updating ACLs is to un-apply the ACL to any interfaces to which it is applied, perform any 
editing or updates, and then re-apply the ACL. So if you follow their recommendation, you are un-protected in the 
intervening time (A minute or so, maybe? Depends on how complex the ACL is and how many interfaces use it.)

If you leave the ACL on while editing, all changes made to it take effect immediately, like most things in IOS. The 
main hazard there is that your last line is probably "permit any" (unless you're essentially using your router as a 
firewall), and from the time you start creating your ACL to the time you add that last line you are blocking nearly 
everything.

A good solution is to create a NEW ACL with your new rules, and then apply that to the relevant interfaces. This makes 
for a nearly instantaneous transition.


-----Original Message-----
From: "Eric Appelboom" <eric () mweb com>
To: <firewall-wizards () honor icsalabs com>
Subject: [fw-wiz] Cisco acls

Hi,

I would appreciate some comments with regard to the extensive use of
cisco routers acls
To protect numerous networks.

My concern is that when someone amends an access-list one generally
enters, no access-list 177 and
Then pastes in the new access list. Does this mean that for a period of
time there is no protection on the
Network that the acls applies?

Best Regards
Eric
MWEB: S.A.'s trusted Internet Service Provider. Just Like that.=20
To join, click here or call 08600 32000.=20

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards