Query regarding empty access -list

hi all

i am   confused about empty access -list

i have following doubts
i have read that access-list have implicit deny all statment as the last test

Then how does any empty access-list applied to an interface makes that interface permit all traffic.

Please also clarify why i have to create an access-list first and then apply it to an interface.
Waiting for a prompt reply

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Les MooreSr. Systems EngineerCommented:
Why does a null access-list permit all?
Because in order to have the implicit deny any, it must first exist. If it does not exist, then it can't do anything.

In order to change an access-list, you must basically re-create it in its entirety because it is processed sequentially until a match is found. You can't just add a new line to the bottom. If you change it while it is already applied to an interface, you could disrupt the traffic on that interface and depending on how you are connected lose your own connection. Besides that, consider if you keep the acl applied (you're on the console port so it can't affect your connection), then delete the acl so that you can re-create a new one, while you are in the process of creating the new one, the processing of a null acl can sometimes cause huge spike in CPU/memory use and potentially freeze the router.

Sequence to change an acl:
1. un-apply the acl from an interface
2. delete the acl
3. re-create the acl with changes in the appropriate order
4. re-apply the acl to the interface
That's the rules of the game. Learn them, live them, play by the rules and you'll have a much happier Cisco experience.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
How can an access list be empty? do you mean you're referencing an access list that doesn't exist? that should answer your question really if that's the case.

It's just the way Cisco intended it. That's a bit like asking why the sky's blue.
sagar24Author Commented:
hi all
Regarding your comments i have come  to an concluson that
there is no term called empty access lists.

if i am trying to apply an access -list before creating it.
It means that i am trying to apply an access-list which will do nothing rather than thinking it as
 an empty access-list.

So i am not wrong if i conclude that there is no term called s empty access-list ..

Hope i am not sounding confused
I have already accepted the anser given by  lrmoore  .
but i will appreciate some more clarificarion



hope i am not sounding confused
Les MooreSr. Systems EngineerCommented:
You are correct. There really is no term regarding empty access-list.
You can apply a non-existant access-list to an interface and it will still pass all traffic.
You can apply a non-existant access-list to an interface, then create the access-list, but because you are always editing the running config, the very first line you create will block all traffic except what you permit (if anything) in the first line.
sagar24Author Commented:
thanks Irmoore for your further clarification

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.