[fw-wiz] RE: Cisco acls

Date: 03/02/05

  • Next message: Paul Melson: "RE: [fw-wiz] Cisco acls"
    To: "'firewall-wizards@honor.icsalabs.com'" <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 02 Mar 2005 13:00:24 -0500 (EST)

    Cisco's recommendation when updating ACLs is to un-apply the ACL to any interfaces to which it is applied, perform any editing or updates, and then re-apply the ACL. So if you follow their recommendation, you are un-protected in the intervening time (A minute or so, maybe? Depends on how complex the ACL is and how many interfaces use it.)

    If you leave the ACL on while editing, all changes made to it take effect immediately, like most things in IOS. The main hazard there is that your last line is probably "permit any" (unless you're essentially using your router as a firewall), and from the time you start creating your ACL to the time you add that last line you are blocking nearly everything.

    A good solution is to create a NEW ACL with your new rules, and then apply that to the relevant interfaces. This makes for a nearly instantaneous transition.

    -----Original Message-----
    From: "Eric Appelboom" <eric@mweb.com>
    To: <firewall-wizards@honor.icsalabs.com>
    Subject: [fw-wiz] Cisco acls


    I would appreciate some comments with regard to the extensive use of
    cisco routers acls
    To protect numerous networks.

    My concern is that when someone amends an access-list one generally
    enters, no access-list 177 and
    Then pastes in the new access list. Does this mean that for a period of
    time there is no protection on the
    Network that the acls applies?

    Best Regards
    MWEB: S.A.'s trusted Internet Service Provider. Just Like that.=20
    To join, click here or call 08600 32000.=20

    firewall-wizards mailing list

  • Next message: Paul Melson: "RE: [fw-wiz] Cisco acls"