Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco acls

From: Kevin <kkadow () gmail com>
Date: Wed, 16 Mar 2005 00:41:47 -0600
On Tue, 08 Mar 2005 07:06:23 -0500, Mark Teicher wrote:

Has anyone seen or heard of a Cisco ACL lint checker to validate
whether a certain acl is being utilized or at all.  


By 'lint' are you suggesting a tool to check whether a line in an ACL
is redundant, can never be matched because it is "overshadowed" by a
rule higher up in a "first-match" policy?  That *would* be neat.

IIRC, OpenBSD has something close in the latest 'pf' rule optimization
efforts, however pf rules are "last match" unlike Cisco's "first
match" model.



What about old acls that have been around for a while,
and no one understands why they were inserted in the first place.


Cisco has counters for how many times an ACL line has matched a
packet, since the last time the counters were cleared, the ACL
changed, or the device rebooted.
Extended ACLs support comments.  I include a date, a name, and a
couple of words as to why the following rule exists.  Audit loves
this, CCIE's hate it.

Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: