Re: (cisco, or any) acl *reducers* out there?

["Dobbins, Roland" <rdobbins () arbor net>]

On Aug 19, 2010, at 7:38 AM, George Michaelson wrote:

> (we've got the usual "acquisition of rule by accretion" problem across 4 edge/core routers with a mix of public 
> facing, internal, WiFi, guest rules, and I hate to think this is either start from scratch, or intractable. The 
> evidence is that its FRAGILE)

Attempts by various commercial solutions aside, there isn't really a workable, usable, scalable and reliable automated 
way to do this, AFAIK; apart from the complexity of the task itself, platform-specific ACL handling complicates matters 
further.

To begin getting a handle on your ACLs, implement some form of revision control (RCS, CVS, subversion, whatever), and 
then work to modularize the ACLs by function:

<https://files.me.com/roland.dobbins/prguob>

Then take a look at whether the ACLs in question all actually belong on the edge, or whether it makes sense to break 
them out and instantiate the relevant policies at various points within the topology.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

    Injustice is relatively easy to bear; what stings is justice.

                        -- H.L. Mencken