[c-nsp] ACL creation and editing tool suggestions?

Sun Jun 7 08:48:43 EDT 2009

I can't imagine any kind of environment that would need 300 or more lines of ACL, I'm sure most of it is historical trash that can be disposed.
I'd suggest you to try to determine what do you REALLY need and create new ACL based on actual and updated needs, and then just delete the unused old ones.

I have some long ACLs which I'm used to create divided by sections, according to protocols, then most to less specific, stating from permitted and ending with the denies, even when implied I like to put them so it's clear to others, e.g

ip access extended TEST
 permit icmp any any
 permit udp any eq 53 any
 permit tcp any any established
 permit tcp any host 2.2.2.2 eq 80
 permit tcp host 1.1.1.1 host 2.2.2.2 eq 3339
 deny tcp any host 2.2.2.2 eq 3339
 permit ip host 3.3.3.3 4.4.4.0 0.0.0.255
 deny ip any 4.4.4.0 0.0.0.255
 permit ip any any

In case I need to add/remove/edit a working ACL I always use the line numbers
If you do "show ip access-list TEST" for instance you'll get this output:

Extended IP access list TEST
    10 permit icmp any any
    20 permit udp any eq domain any
    30 permit tcp any any established
    40 permit tcp any host 2.2.2.2 eq www
    50 permit tcp host 1.1.1.1 host 2.2.2.2 eq 3339
    60 deny tcp any host 2.2.2.2 eq 3339
    70 permit ip host 3.3.3.3 4.4.4.0 0.0.0.255
    80 deny ip any 4.4.4.0 0.0.0.255
 90 permit ip any any

This allows you to remove a line by doing
conf t
ip access-list extended TEST
no 60
!
Or add a line in between
55 permit tcp host 5.5.5.5 host 2.2.2.2 eq 3339

Which will change your ACL to:

Extended IP access list TEST
    10 permit icmp any any
    20 permit udp any eq domain any
    30 permit tcp any any established
    40 permit tcp any host 2.2.2.2 eq www
    50 permit tcp host 1.1.1.1 host 2.2.2.2 eq 3339
    55 permit tcp host 5.5.5.5 host 2.2.2.2 eq 3339
    60 deny tcp any host 2.2.2.2 eq 3339
    70 permit ip host 3.3.3.3 4.4.4.0 0.0.0.255
    80 deny ip any 4.4.4.0 0.0.0.255
 90 permit ip any any

Anyway, I wouldn't suggest using any kind of automatic stuff, you'll have to actually go line by line, as tedious as it may sound, to determine what exactly you need or not, or just opt to create them from scratch setting only the stuff you're sure you need and save the old ones for reference or future review.
Hope this helps,
Ziv

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Granados
Sent: Saturday, June 06, 2009 9:28 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ACL creation and editing tool suggestions?

I'm working in an environment with several large (north of 300 lines) ACLs that need managing.  Several different people have had their hands in editing before I arrived and the lists have grown in to large jumbled messes and as such are introducing a lot of error because of their complexity. I'm wondering how people manage large ACLs effectively.  Are there any tools that help in the automation of ACL creation or any good methods, if even by hand, that folks could recommend to help ease the clean up and maintenance process.  Something that could optimize the ACL in automated fashion?

Any pointers would be appreciated.

Thanks
Scott
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************