I am a newbie in security, and one of my friends asked me what happens if we apply IP-access group command to an interface without configuring an access-list for it.
Since i know if we dont allow anything there is an implicit deny at the bottom, however we didnt even configure an access-list in this instance.
Can somebody please shed some light on it.
When I first learned about ACLs back in early 2001. I was told not to apply and ACL to an interface before you have defined the ACL as the "implicit" deny at the end would block all traffic.
However, recently while watching a Jeremy Cioara video, I came to know that if you apply an ACL to an interface before you have defined that ACL it will do nothing. Meaning all traffic is still allowed. However, if you define an ACL and apply it to an interface and then later delete the ACL without first removing it from the interface, it will now "block" all traffic.
Hope this helps.
Here is what the current CCNA ICND2 book says.
"Finally, Cisco recommends that you disable the ACLs on the interfaces before you change the statements in the list. Thankfully, if you have an IP ACL enabled on an interface with the ip access-group command, and you delete the entire ACL, IOS does not filter any packets. (That was not always the case in earlier IOS versions!) Even so, as soon as you add a command to the ACL, the IOS starts filtering packets."
I hope this helps.
Thanks for your post Brian,
So what i understand here is according to the earlier IOS versions it would block.
And as per your above note from ICND2 book if we do not configure or delete the configured ACL it wont do anything/filtering.
Any idea about the IOS version when this change occured?
My experience has been fairly consistent regardless of IOS version. What I have seen is that any time an access-group identifies a non-existent access-list, all traffic is permitted. As soon as the first entry is added, then you have only that entry plus the implicit deny. See even copy and pasting a rule, you need to make sure the first acl entry permits your telnet or ssh traffic if you are going through that interface.
Appreciate your thoughts on this, and will note the point you made about allowing the remote access if we are talking abt the same interface.
Is there any reference i can follow to confirm the same that all traffic would be permitted?
It is documented. You have to search for "Cisco undefined access-list". For example, the following below has a description of the behavior.
When you apply an access list that has not yet been defined to an interface, the software will act as if the access list has not been applied to the interface and will accept all packets. Remember this behavior if you use undefined access lists as a means of security in your network.
That's great !!!
Many thanks Paul. Cheers