Re: (cisco, or any) acl *reducers* out there?

[Christopher Morrow <morrowc.lists () gmail com>]

On Wed, Aug 18, 2010 at 8:47 PM, Dobbins, Roland <rdobbins () arbor net> wrote:
> On Aug 19, 2010, at 7:38 AM, George Michaelson wrote:
>
> > (we've got the usual "acquisition of rule by accretion" problem across 4 edge/core routers with a mix of public 
> > facing, internal, WiFi, guest rules, and I hate to think this is either start from scratch, or intractable. The 
> > evidence is that its FRAGILE)
>
> Attempts by various commercial solutions aside, there isn't really a workable, usable, scalable and reliable 
> automated way to do this, AFAIK; apart from the complexity of the task itself, platform-specific ACL handling 
> complicates matters further.
>
> To begin getting a handle on your ACLs, implement some form of revision control (RCS, CVS, subversion, whatever), and 
> then work to modularize the ACLs by function:
>
> <https://files.me.com/roland.dobbins/prguob>
>
> Then take a look at whether the ACLs in question all actually belong on the edge, or whether it makes sense to break 
> them out and instantiate the relevant policies at various points within the topology.

a plug for some google-peeps:

<http://code.google.com/p/capirca/>

potentially once you make the definitions/policy-files you can use the
proto-language to sort through your mess in a saner fashion. a nice
aside is you can also create (from the same policy file)
cisco/juniper/iptables configurations.
(tony/pete really did a nice job on this)

-chris

> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>
>
>    Injustice is relatively easy to bear; what stings is justice.
>
>                        -- H.L. Mencken