(cisco, or any) acl *reducers* out there?

Brian Spade bitkraft at gmail.com
Tue Aug 24 07:51:50 UTC 2010

Maybe FLINT?


Never tried it so feedback is welcome... :-)


On Wed, Aug 18, 2010 at 5:38 PM, George Michaelson <ggm at apnic.net> wrote:

> I have been looking at acl management s/w in the freecode space and I can
> find lots of tools which manage/distribute and test ACLs in routers.
> I'm wondering if anyone has written a parser which can construct rule-trees
> and get rid of the cruft, unusable, order-misorder and other issues in a
> large ACL pool?
> Its possible this is NP in the wider sense, but even a partial improvement
> would be useful
> something which can take a couple of hundred basic and extended ACLs and
> tell you
>        these <ten> don't work
>        these <twenty> conflict
>        the remaining <x> have a sequence and can reduce to this basic <x-y>
> set
> (we've got the usual "acquisition of rule by accretion" problem across 4
> edge/core routers with a mix of public facing, internal, WiFi, guest rules,
> and I hate to think this is either start from scratch, or intractable. The
> evidence is that its FRAGILE)
> -G

More information about the NANOG mailing list