[128864] in North American Network Operators' Group
Re: (cisco, or any) acl *reducers* out there?
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Wed Aug 18 20:47:45 2010
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
Date: Thu, 19 Aug 2010 00:47:37 +0000
In-Reply-To: <5F0D0E5F-2BB3-43EB-B56A-F622763D78C3@apnic.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Aug 19, 2010, at 7:38 AM, George Michaelson wrote:
> (we've got the usual "acquisition of rule by accretion" problem across 4 =
edge/core routers with a mix of public facing, internal, WiFi, guest rules,=
and I hate to think this is either start from scratch, or intractable. The=
evidence is that its FRAGILE)
Attempts by various commercial solutions aside, there isn't really a workab=
le, usable, scalable and reliable automated way to do this, AFAIK; apart fr=
om the complexity of the task itself, platform-specific ACL handling compli=
cates matters further.
To begin getting a handle on your ACLs, implement some form of revision con=
trol (RCS, CVS, subversion, whatever), and then work to modularize the ACLs=
by function:
<https://files.me.com/roland.dobbins/prguob>
Then take a look at whether the ACLs in question all actually belong on the=
edge, or whether it makes sense to break them out and instantiate the rele=
vant policies at various points within the topology.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
