[nsp] Script to check for unused ACLs

Steffen Voigt steffen at electrolyte.de
Fri Jan 2 12:42:22 EST 2004


and one more :-) this time NAT stuff...

Steffen Voigt wrote:

> Hi,
>
> you forget about the bgp stuff (as path acl's), i modified one line 
> below ;-)
>
> John Kristoff wrote:
>
>> I thought someone might find this helpful.  Below is a simple script to
>> find unused ACLs in your IOS configs.  Pass a directory with stored
>> configs on the command line (or adjust it to suit your needs).  Please
>> send me any script bugs or additional matches I may have fogotten back
>> to me so I can update my copy with your improved version.  In testing,
>> 250 unused ACLs were the minimum found for organization that I've seen
>> so far.  :-)
>>
>> I hereby place this script in the public domain.  Warning, script lines
>> may wrap in your email client:
>>
>>  #!/bin/sh
>>  #
>>  # acl-usage.sh - output cisco ACLs from stored configs that are not 
>> in use
>>  #
>>  # requires: perl5 or later in the path
>>  #           egrep, find, grep, sort and uniq in the path
>>  #           cisco IOS stored configs
>>
>>  if [ $# -eq 0 -o $# -gt 1 ] ; then
>>     echo "  Usage:   $0 path-to-router-config-file(s)"
>>     echo "Example:   $0 /var/configs"
>>     exit 1
>>  fi
>>
>>  for confg in `find $1/.* $1/* -prune ! -type d -exec ls {} \;` ; do
>>      for acl in `grep access-list $confg | perl -ne '/.*access-list 
>> (?:extended |standard )?(\S+)(?:\s+.*)?/ ; print "$1\n"' | sort | 
>> uniq` ; do
>>          if [ `egrep -c "(access-(class|group)|ip (multicast 
>> boundary|pim rp-address [0-9\.]+)|snmp-server community .* 
>> (RO|RW)|match ip address) $acl" $confg` -eq 0 ] ; then
>>  
>>
>
> if [ `egrep -c "(access-(class|group)|ip (as-path 
> access-list|multicast boundary|pim rp-address [0-9\.]+)|snmp-server 
> community .* (RO|RW)|match ip address) $acl" $confg` -eq 0 ] ; then

if [ `egrep -c "(access-(class|group)|ip (nat (inside|outside) source 
list|as-path access-list|multicast boundary|pim rp-address 
[0-9\.]+)|snmp-server community .* (RO|RW)|match ip address) $acl" 
$confg` -eq 0 ] ; then

>
>
>>              echo $confg:$acl:unused
>>          fi
>>      done
>>  done
>>
>>  # end script
>>
>> John
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>  
>>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list