[128865] in North American Network Operators' Group
Re: (cisco, or any) acl *reducers* out there?
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Wed Aug 18 21:52:15 2010
In-Reply-To: <3913D43B-E205-43DA-85DE-3ED6854FC874@arbor.net>
Date: Wed, 18 Aug 2010 21:51:59 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: "Dobbins, Roland" <rdobbins@arbor.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Aug 18, 2010 at 8:47 PM, Dobbins, Roland <rdobbins@arbor.net> wrote=
:
>
> On Aug 19, 2010, at 7:38 AM, George Michaelson wrote:
>
>> (we've got the usual "acquisition of rule by accretion" problem across 4=
edge/core routers with a mix of public facing, internal, WiFi, guest rules=
, and I hate to think this is either start from scratch, or intractable. Th=
e evidence is that its FRAGILE)
>
> Attempts by various commercial solutions aside, there isn't really a work=
able, usable, scalable and reliable automated way to do this, AFAIK; apart =
from the complexity of the task itself, platform-specific ACL handling comp=
licates matters further.
>
> To begin getting a handle on your ACLs, implement some form of revision c=
ontrol (RCS, CVS, subversion, whatever), and then work to modularize the AC=
Ls by function:
>
> <https://files.me.com/roland.dobbins/prguob>
>
> Then take a look at whether the ACLs in question all actually belong on t=
he edge, or whether it makes sense to break them out and instantiate the re=
levant policies at various points within the topology.
a plug for some google-peeps:
<http://code.google.com/p/capirca/>
potentially once you make the definitions/policy-files you can use the
proto-language to sort through your mess in a saner fashion. a nice
aside is you can also create (from the same policy file)
cisco/juniper/iptables configurations.
(tony/pete really did a nice job on this)
-chris
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>
> =A0 =A0Injustice is relatively easy to bear; what stings is justice.
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0-- H.L. Mencken
>
>
>
>
>
