[c-nsp] ACL creation and editing tool suggestions?

Yann Gauteron ygauteron at gmail.com
Sun Jun 7 11:45:53 EDT 2009


2009/6/7 Ziv Leyes <zivl at gilat.net>:
> I can't imagine any kind of environment that would need 300 or more lines of ACL, I'm sure most of it is historical trash that can be disposed.
> I'd suggest you to try to determine what do you REALLY need and create new ACL based on actual and updated needs, and then just delete the unused old ones.

I can imagine a design where subnets are badly aggregated and where an
ACL entry has to be repeated many times because it has to be applied
to non-adjacent subnets that should have the same access control
applied. I have seen this once... This was the result of historical
evolution of the network without never thinking more steps forward
than just the present augmentation (for instance reserving some
ajdacent IP subnets for future extensions). ACL management is a
nightmare, but redesigning the network was just something that was not
considered by the company (because of the time and costs, and "why
would I redesign it, as it operates as expected ?")


More information about the cisco-nsp mailing list