Firewall Wizards mailing list archives
Re: Cisco acls
From: Mark Teicher <mht3 () earthlink net>
Date: Wed, 16 Mar 2005 07:06:13 -0500 (GMT-05:00)
in line
-----Original Message----- From: Kevin <kkadow () gmail com> Sent: Mar 16, 2005 1:41 AM To: firewall-wizards () honor icsalabs com Cc: Mark Teicher <mht3 () earthlink net> Subject: Re: [fw-wiz] Cisco acls On Tue, 08 Mar 2005 07:06:23 -0500, Mark Teicher wrote:
Has anyone seen or heard of a Cisco ACL lint checker to validate whether a certain acl is being utilized or at all.
By 'lint' are you suggesting a tool to check whether a line in an ACL is redundant, can never be matched because it is "overshadowed" by a rule higher up in a "first-match" policy? That *would* be neat.
Yes, something like more to flush out access control lists that were implemented by Stevie Wonder that the IOS didn't catch as a bad access control list
IIRC, OpenBSD has something close in the latest 'pf' rule optimization efforts, however pf rules are "last match" unlike Cisco's "first match" model.
What about old acls that have been around for a while, and no one understands why they were inserted in the first place.
Cisco has counters for how many times an ACL line has matched a packet, since the last time the counters were cleared, the ACL changed, or the device rebooted. Extended ACLs support comments. I include a date, a name, and a couple of words as to why the following rule exists. Audit loves this, CCIE's hate it.
It would be great to like the stats to the access control list, and then output a result stating
access control list 1 (10/10000) access control list 2 (0/10000) access control list 3 (4/10000) and then insert some text regarding why the access control list is not well done Kevin Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Cisco acls, (continued)
- Re: Cisco acls Miha Vitorovic (Mar 24)
- RE: Cisco acls Behm, Jeffrey L. (Mar 04)
- RE: Cisco acls Matthew.Harvey () usdoj gov (Mar 04)
- RE: Cisco acls Paul Melson (Mar 04)
- Re: Cisco acls Luca Berra (Mar 07)
- RE: Cisco acls Luke Butcher (Mar 06)
- RE: Cisco acls Luke Butcher (Mar 07)
- RE: Cisco acls Andrew Yourtchenko (Mar 12)
- RE: Cisco acls MHawkins (Mar 07)
- RE: Cisco acls Scott Stursa (Mar 12)
- Re: Cisco acls Mark Teicher (Mar 24)
- RE: Cisco acls Luke Butcher (Mar 24)
- RE: Cisco acls Scott Stursa (Mar 24)
- Fwd: Re: Cisco acls Mark Teicher (Mar 24)
- RE: Cisco acls Luke Butcher (Mar 30)
- RE: Cisco acls MHawkins (Mar 31)