[nsp] Script to check for unused ACLs
Steffen Voigt
steffen at electrolyte.de
Fri Jan 2 11:53:36 EST 2004
Hi,
you forget about the bgp stuff (as path acl's), i modified one line
below ;-)
John Kristoff wrote:
>I thought someone might find this helpful. Below is a simple script to
>find unused ACLs in your IOS configs. Pass a directory with stored
>configs on the command line (or adjust it to suit your needs). Please
>send me any script bugs or additional matches I may have fogotten back
>to me so I can update my copy with your improved version. In testing,
>250 unused ACLs were the minimum found for organization that I've seen
>so far. :-)
>
>I hereby place this script in the public domain. Warning, script lines
>may wrap in your email client:
>
> #!/bin/sh
> #
> # acl-usage.sh - output cisco ACLs from stored configs that are not in use
> #
> # requires: perl5 or later in the path
> # egrep, find, grep, sort and uniq in the path
> # cisco IOS stored configs
>
> if [ $# -eq 0 -o $# -gt 1 ] ; then
> echo " Usage: $0 path-to-router-config-file(s)"
> echo "Example: $0 /var/configs"
> exit 1
> fi
>
> for confg in `find $1/.* $1/* -prune ! -type d -exec ls {} \;` ; do
> for acl in `grep access-list $confg | perl -ne '/.*access-list (?:extended |standard )?(\S+)(?:\s+.*)?/ ; print "$1\n"' | sort | uniq` ; do
> if [ `egrep -c "(access-(class|group)|ip (multicast boundary|pim rp-address [0-9\.]+)|snmp-server community .* (RO|RW)|match ip address) $acl" $confg` -eq 0 ] ; then
>
>
if [ `egrep -c "(access-(class|group)|ip (as-path access-list|multicast boundary|pim rp-address [0-9\.]+)|snmp-server community .* (RO|RW)|match ip address) $acl" $confg` -eq 0 ] ; then
> echo $confg:$acl:unused
> fi
> done
> done
>
> # end script
>
>John
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list