Re: Cisco acls

[Mark Teicher <mht3 () earthlink net>]

> > in line

-----Original Message-----
From: Kevin <kkadow () gmail com>
Sent: Mar 16, 2005 1:41 AM
To: firewall-wizards () honor icsalabs com
Cc: Mark Teicher <mht3 () earthlink net>
Subject: Re: [fw-wiz] Cisco acls

On Tue, 08 Mar 2005 07:06:23 -0500, Mark Teicher wrote:
> Has anyone seen or heard of a Cisco ACL lint checker to validate
> whether a certain acl is being utilized or at all.  

By 'lint' are you suggesting a tool to check whether a line in an ACL
is redundant, can never be matched because it is "overshadowed" by a
rule higher up in a "first-match" policy?  That *would* be neat.

> > Yes, something like more to flush out access control lists that were implemented by Stevie Wonder that the IOS 
> > didn't catch as a bad access control list

IIRC, OpenBSD has something close in the latest 'pf' rule optimization
efforts, however pf rules are "last match" unlike Cisco's "first
match" model.


> What about old acls that have been around for a while,
> and no one understands why they were inserted in the first place.

Cisco has counters for how many times an ACL line has matched a
packet, since the last time the counters were cleared, the ACL
changed, or the device rebooted.
Extended ACLs support comments.  I include a date, a name, and a
couple of words as to why the following rule exists.  Audit loves
this, CCIE's hate it.

> > It would be great to like the stats to the access control list, and then output a result stating
access control list 1 (10/10000)
access control list  2 (0/10000)
access control list 3 (4/10000)

and then insert some text regarding why the access control list is not well done


Kevin Kadow



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards