[nsp] Announcing aclmaker-1.04rc1, with check for unused ACLs

Ed Ravin eravin at panix.com
Mon Jan 5 01:26:19 EST 2004


On Fri, Jan 02, 2004 at 10:25:02AM -0600, John Kristoff wrote:
> I thought someone might find this helpful.  Below is a simple script to
> find unused ACLs in your IOS configs. 

Which subsequently grew to be not so simple :-).  I've added this test
to aclmaker, along with a few other fixes and features.  There are
two ways to access this new feature:

  aclmaker list unused

Will test all the ACLS stored on the router and report which ones appear
to be unused.

  aclmaker put ACLNAME

Will now issue a warning when you store an ACL that does not appear to
used.

There are a few other changes:

#######  list of non-existent access-list now returns an error
#######  when applying ACL to interface, warn if no "deny" statements (ACL
may be ignored by router)
#######  detect buffer overflow when fetching config

This is a release candidate - hopefully after some feedback I'll put
this version  up on Sourceforge.  Please email problems with aclmaker
directly to me, not the list, though you might want to CC John if the
problem is an ACL-using IOS feature that we haven't coded for.

Aclmaker 1.04rc1 can be downloaded from:

   http://www.panix.com/~eravin/aclmaker-1.04rc1

------------
PS: For those of you with eagle eyes for IOS syntax, here's my Perl
version of John's script (@config is an array with the lines of
the running config in it):

sub test_acl_unused # aclname  # (returns true if ACL not in use)
{
	my ($aclname)= @_;

	return (!grep
		/(access-(class|group)|distribute-list|ip (as-path access-list|directed-broadcast|msdp redistribute list|msdp sa-filter (in|out) .*list|pim rp-address [0-9\.]+|tcp intercept list)|ipx (input-network-filter|input-sap-filter|output-ggs-filter|output-gns-filter|output-network-filter|output-sap-filter|router-filter|router-sap-filter)|match (address|ip address)|multicast boundary|ntp access-group (peer|query-only|serve|serve-only)|snmp-server community .* (RO|RW)|ip receive access-list|ip msdp sa-filter (in|out) list|ip msdp sa-filter(in|out) .* rp-list|tag-switching (advertise|request)-tags for|ip nat (inside|outside) source list) $aclname/,
	@config);
}


More information about the cisco-nsp mailing list