[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(cisco, or any) acl reducers out there?

Subject: (cisco, or any) acl *reducers* out there?
From: ggm at apnic.net (George Michaelson)
Date: Thu, 19 Aug 2010 10:38:01 +1000

I have been looking at acl management s/w in the freecode space and I can find lots of tools which manage/distribute and test ACLs in routers.

I'm wondering if anyone has written a parser which can construct rule-trees and get rid of the cruft, unusable, order-misorder and other issues in a large ACL pool?

Its possible this is NP in the wider sense, but even a partial improvement would be useful

something which can take a couple of hundred basic and extended ACLs and tell you

	these <ten> don't work
	these <twenty> conflict
	the remaining <x> have a sequence and can reduce to this basic <x-y> set

(we've got the usual "acquisition of rule by accretion" problem across 4 edge/core routers with a mix of public facing, internal, WiFi, guest rules, and I hate to think this is either start from scratch, or intractable. The evidence is that its FRAGILE)

-G

Follow-Ups:
- (cisco, or any) acl *reducers* out there?
  - From: rdobbins at arbor.net (Dobbins, Roland)
- (cisco, or any) acl *reducers* out there?
  - From: randy at psg.com (Randy Bush)
- (cisco, or any) acl *reducers* out there?
  - From: cat at reptiles.org (Cat Okita)
- (cisco, or any) acl *reducers* out there?
  - From: michael.holstein at csuohio.edu (Michael Holstein)
- (cisco, or any) acl *reducers* out there?
  - From: bitkraft at gmail.com (Brian Spade)

Prev by Date: tool to wrangle config file changes
Next by Date: (cisco, or any) acl *reducers* out there?
Previous by thread: tool to wrangle config file changes
Next by thread: (cisco, or any) acl *reducers* out there?
Index(es):
- Date
- Thread

(cisco, or any) acl *reducers* out there?

(cisco, or any) acl reducers out there?