[fw-wiz] RE: Cisco acls
To: "'email@example.com'" <firstname.lastname@example.org> Date: Wed, 02 Mar 2005 13:00:24 -0500 (EST)
Cisco's recommendation when updating ACLs is to un-apply the ACL to any interfaces to which it is applied, perform any editing or updates, and then re-apply the ACL. So if you follow their recommendation, you are un-protected in the intervening time (A minute or so, maybe? Depends on how complex the ACL is and how many interfaces use it.)
If you leave the ACL on while editing, all changes made to it take effect immediately, like most things in IOS. The main hazard there is that your last line is probably "permit any" (unless you're essentially using your router as a firewall), and from the time you start creating your ACL to the time you add that last line you are blocking nearly everything.
A good solution is to create a NEW ACL with your new rules, and then apply that to the relevant interfaces. This makes for a nearly instantaneous transition.
From: "Eric Appelboom" <email@example.com>
Subject: [fw-wiz] Cisco acls
I would appreciate some comments with regard to the extensive use of
cisco routers acls
To protect numerous networks.
My concern is that when someone amends an access-list one generally
enters, no access-list 177 and
Then pastes in the new access list. Does this mean that for a period of
time there is no protection on the
Network that the acls applies?
MWEB: S.A.'s trusted Internet Service Provider. Just Like that.=20
To join, click here or call 08600 32000.=20
firewall-wizards mailing list