[nsp] Script to check for unused ACLs
John Kristoff
jtk at northwestern.edu
Fri Jan 2 11:25:02 EST 2004
I thought someone might find this helpful. Below is a simple script to
find unused ACLs in your IOS configs. Pass a directory with stored
configs on the command line (or adjust it to suit your needs). Please
send me any script bugs or additional matches I may have fogotten back
to me so I can update my copy with your improved version. In testing,
250 unused ACLs were the minimum found for organization that I've seen
so far. :-)
I hereby place this script in the public domain. Warning, script lines
may wrap in your email client:
#!/bin/sh
#
# acl-usage.sh - output cisco ACLs from stored configs that are not in use
#
# requires: perl5 or later in the path
# egrep, find, grep, sort and uniq in the path
# cisco IOS stored configs
if [ $# -eq 0 -o $# -gt 1 ] ; then
echo " Usage: $0 path-to-router-config-file(s)"
echo "Example: $0 /var/configs"
exit 1
fi
for confg in `find $1/.* $1/* -prune ! -type d -exec ls {} \;` ; do
for acl in `grep access-list $confg | perl -ne '/.*access-list (?:extended |standard )?(\S+)(?:\s+.*)?/ ; print "$1\n"' | sort | uniq` ; do
if [ `egrep -c "(access-(class|group)|ip (multicast boundary|pim rp-address [0-9\.]+)|snmp-server community .* (RO|RW)|match ip address) $acl" $confg` -eq 0 ] ; then
echo $confg:$acl:unused
fi
done
done
# end script
John
More information about the cisco-nsp
mailing list