Firewall Wizards mailing list archives
Re: Cisco acls
From: Kevin <kkadow () gmail com>
Date: Wed, 16 Mar 2005 00:41:47 -0600
On Tue, 08 Mar 2005 07:06:23 -0500, Mark Teicher wrote:
Has anyone seen or heard of a Cisco ACL lint checker to validate whether a certain acl is being utilized or at all.
By 'lint' are you suggesting a tool to check whether a line in an ACL is redundant, can never be matched because it is "overshadowed" by a rule higher up in a "first-match" policy? That *would* be neat. IIRC, OpenBSD has something close in the latest 'pf' rule optimization efforts, however pf rules are "last match" unlike Cisco's "first match" model.
What about old acls that have been around for a while, and no one understands why they were inserted in the first place.
Cisco has counters for how many times an ACL line has matched a packet, since the last time the counters were cleared, the ACL changed, or the device rebooted. Extended ACLs support comments. I include a date, a name, and a couple of words as to why the following rule exists. Audit loves this, CCIE's hate it. Kevin Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco acls Eric Appelboom (Mar 01)
- Re: Cisco acls Daniel Linder (Mar 04)
- RE: Cisco acls Bruce Smith (Mar 04)
- RE: Cisco acls Mark Teicher (Mar 12)
- Re: Cisco acls Kevin (Mar 24)
- RE: Cisco acls Mark Teicher (Mar 12)
- Re: Cisco acls Steve Saeedi (Mar 04)
- Re: Cisco acls Luca Berra (Mar 07)
- RE: Cisco acls Mathew Want (Mar 04)
- RE: Cisco acls Ben Nagy (Mar 04)
- Re: Cisco acls Stephane (Mar 04)
- Re: Cisco acls Miha Vitorovic (Mar 24)
- <Possible follow-ups>
- RE: Cisco acls Behm, Jeffrey L. (Mar 04)
- RE: Cisco acls Matthew.Harvey () usdoj gov (Mar 04)
- RE: Cisco acls Paul Melson (Mar 04)
- Re: Cisco acls Luca Berra (Mar 07)
(Thread continues...)