(cisco, or any) acl *reducers* out there?

Brian Spade bitkraft at gmail.com
Tue Aug 24 07:51:50 UTC 2010


Maybe FLINT?

http://www.matasano.com/playbook/flint

Never tried it so feedback is welcome... :-)

/bs

On Wed, Aug 18, 2010 at 5:38 PM, George Michaelson <ggm at apnic.net> wrote:

> I have been looking at acl management s/w in the freecode space and I can
> find lots of tools which manage/distribute and test ACLs in routers.
>
> I'm wondering if anyone has written a parser which can construct rule-trees
> and get rid of the cruft, unusable, order-misorder and other issues in a
> large ACL pool?
>
> Its possible this is NP in the wider sense, but even a partial improvement
> would be useful
>
> something which can take a couple of hundred basic and extended ACLs and
> tell you
>
>        these <ten> don't work
>        these <twenty> conflict
>        the remaining <x> have a sequence and can reduce to this basic <x-y>
> set
>
> (we've got the usual "acquisition of rule by accretion" problem across 4
> edge/core routers with a mix of public facing, internal, WiFi, guest rules,
> and I hate to think this is either start from scratch, or intractable. The
> evidence is that its FRAGILE)
>
> -G
>



More information about the NANOG mailing list