(cisco, or any) acl *reducers* out there?
Brian Spade
bitkraft at gmail.com
Tue Aug 24 07:51:50 UTC 2010
Maybe FLINT?
http://www.matasano.com/playbook/flint
Never tried it so feedback is welcome... :-)
/bs
On Wed, Aug 18, 2010 at 5:38 PM, George Michaelson <ggm at apnic.net> wrote:
> I have been looking at acl management s/w in the freecode space and I can
> find lots of tools which manage/distribute and test ACLs in routers.
>
> I'm wondering if anyone has written a parser which can construct rule-trees
> and get rid of the cruft, unusable, order-misorder and other issues in a
> large ACL pool?
>
> Its possible this is NP in the wider sense, but even a partial improvement
> would be useful
>
> something which can take a couple of hundred basic and extended ACLs and
> tell you
>
> these <ten> don't work
> these <twenty> conflict
> the remaining <x> have a sequence and can reduce to this basic <x-y>
> set
>
> (we've got the usual "acquisition of rule by accretion" problem across 4
> edge/core routers with a mix of public facing, internal, WiFi, guest rules,
> and I hate to think this is either start from scratch, or intractable. The
> evidence is that its FRAGILE)
>
> -G
>
More information about the NANOG
mailing list