Firewall Wizards mailing list archives
RE: Cisco acls
From: "Matthew.Harvey () usdoj gov" <Matthew.Harvey () usdoj gov>
Date: Wed, 02 Mar 2005 13:00:24 -0500 (EST)
Cisco's recommendation when updating ACLs is to un-apply the ACL to any interfaces to which it is applied, perform any editing or updates, and then re-apply the ACL. So if you follow their recommendation, you are un-protected in the intervening time (A minute or so, maybe? Depends on how complex the ACL is and how many interfaces use it.) If you leave the ACL on while editing, all changes made to it take effect immediately, like most things in IOS. The main hazard there is that your last line is probably "permit any" (unless you're essentially using your router as a firewall), and from the time you start creating your ACL to the time you add that last line you are blocking nearly everything. A good solution is to create a NEW ACL with your new rules, and then apply that to the relevant interfaces. This makes for a nearly instantaneous transition. -----Original Message----- From: "Eric Appelboom" <eric () mweb com> To: <firewall-wizards () honor icsalabs com> Subject: [fw-wiz] Cisco acls Hi, I would appreciate some comments with regard to the extensive use of cisco routers acls To protect numerous networks. My concern is that when someone amends an access-list one generally enters, no access-list 177 and Then pastes in the new access list. Does this mean that for a period of time there is no protection on the Network that the acls applies? Best Regards Eric MWEB: S.A.'s trusted Internet Service Provider. Just Like that.=20 To join, click here or call 08600 32000.=20 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Cisco acls, (continued)
- RE: Cisco acls Bruce Smith (Mar 04)
- RE: Cisco acls Mark Teicher (Mar 12)
- Re: Cisco acls Kevin (Mar 24)
- RE: Cisco acls Mark Teicher (Mar 12)
- Re: Cisco acls Steve Saeedi (Mar 04)
- Re: Cisco acls Luca Berra (Mar 07)
- RE: Cisco acls Mathew Want (Mar 04)
- RE: Cisco acls Ben Nagy (Mar 04)
- Re: Cisco acls Stephane (Mar 04)
- Re: Cisco acls Miha Vitorovic (Mar 24)
- RE: Cisco acls Behm, Jeffrey L. (Mar 04)
- RE: Cisco acls Matthew.Harvey () usdoj gov (Mar 04)
- RE: Cisco acls Paul Melson (Mar 04)
- Re: Cisco acls Luca Berra (Mar 07)
- RE: Cisco acls Luke Butcher (Mar 06)
- RE: Cisco acls Luke Butcher (Mar 07)
- RE: Cisco acls Andrew Yourtchenko (Mar 12)
- RE: Cisco acls MHawkins (Mar 07)
- RE: Cisco acls Scott Stursa (Mar 12)
- Re: Cisco acls Mark Teicher (Mar 24)
- RE: Cisco acls Luke Butcher (Mar 24)
- RE: Cisco acls Scott Stursa (Mar 24)
(Thread continues...)
- RE: Cisco acls Bruce Smith (Mar 04)