[128868] in North American Network Operators' Group
Re: (cisco, or any) acl *reducers* out there?
daemon@ATHENA.MIT.EDU (George Michaelson)
Wed Aug 18 23:24:01 2010
From: George Michaelson <ggm@apnic.net>
In-Reply-To: <m2tymre273.wl%randy@psg.com>
Date: Thu, 19 Aug 2010 13:23:51 +1000
To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 19/08/2010, at 1:00 PM, Randy Bush wrote:
>> something which can take a couple of hundred basic and extended ACLs =
and tell you
>> these <ten> don't work
>> these <twenty> conflict
>> the remaining <x> have a sequence and can reduce to this basic <x-y> =
set
>=20
> maybe you could go the other direction. as opposed to trying to =
digest
> and correct cruft, generate the acls from something reasonable so that
> they are canonic by construction.
>=20
> randy
A reasonable call. Its probably where we'll be by default, because there =
isn't anything there and I think first principles upward is better than =
paring back.
Thanks for the responses (and Roland!)
I think its clear a tool like I asked doesn't exist, and very probably =
won't, anytime soon.
cheers
-G=
