ACL question

[AyrishGrl]

I recently took over a network admin position about two months ago. We have a 7204 as our border router and the main ACL on it is over 1000 lines long. I cleared the counters on it the first week I was here to see exactly what was being hit and what wasn't. I now have a sizable portion of the ACL that I know hasn't taken any hits in quite some time. I was thinking about going ahead and removing the lines that don't appear to be doing anything. This would also hopefully condense the ACL into something more manageable. Would anyone recommend leaving these unused entries? And if so why? Thanks.

 

[peterd51]

Hi,

I've been in a similar position a time or two...

do you change something that works, without knowing why it was placed there originally...?

Well, after checking for a while that it's not being used I'd probably rip it out, but I'd make sure that I had several config copies before I did so.

Sometimes the only way to find out whether something is needed or not is to disconnect it for a while and see who screams!

You can always blame atmospherics...

Regards
Peter

 

[schofs]

Cisco ACLwork from top down the first match wins being a deny or permit

might be worth snapping the acl out rearanging it so the common ones are near the top


I would not take out any though some may be protecting you from known attacks vunrabilities also some make you a good neighbour an will prevent some known virus etc getting out