[128863] in North American Network Operators' Group
(cisco, or any) acl *reducers* out there?
daemon@ATHENA.MIT.EDU (George Michaelson)
Wed Aug 18 20:38:13 2010
From: George Michaelson <ggm@apnic.net>
Date: Thu, 19 Aug 2010 10:38:01 +1000
To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I have been looking at acl management s/w in the freecode space and I =
can find lots of tools which manage/distribute and test ACLs in routers.
I'm wondering if anyone has written a parser which can construct =
rule-trees and get rid of the cruft, unusable, order-misorder and other =
issues in a large ACL pool?
Its possible this is NP in the wider sense, but even a partial =
improvement would be useful
something which can take a couple of hundred basic and extended ACLs and =
tell you
these <ten> don't work
these <twenty> conflict
the remaining <x> have a sequence and can reduce to this basic =
<x-y> set
(we've got the usual "acquisition of rule by accretion" problem across 4 =
edge/core routers with a mix of public facing, internal, WiFi, guest =
rules, and I hate to think this is either start from scratch, or =
intractable. The evidence is that its FRAGILE)
-G=
