Re: [fw-wiz] Cisco acls
From: Kevin (kkadow_at_gmail.com)
Date: 03/16/05
- Previous message: Joe Mazzotti: "[fw-wiz] SSL VPN vs. IPSec VPN"
- In reply to: Mark Teicher: "RE: [fw-wiz] Cisco acls"
- Next in thread: Steve Saeedi: "Re: [fw-wiz] Cisco acls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Wed, 16 Mar 2005 00:41:47 -0600
On Tue, 08 Mar 2005 07:06:23 -0500, Mark Teicher wrote:
> Has anyone seen or heard of a Cisco ACL lint checker to validate
> whether a certain acl is being utilized or at all.
By 'lint' are you suggesting a tool to check whether a line in an ACL
is redundant, can never be matched because it is "overshadowed" by a
rule higher up in a "first-match" policy? That *would* be neat.
IIRC, OpenBSD has something close in the latest 'pf' rule optimization
efforts, however pf rules are "last match" unlike Cisco's "first
match" model.
> What about old acls that have been around for a while,
> and no one understands why they were inserted in the first place.
Cisco has counters for how many times an ACL line has matched a
packet, since the last time the counters were cleared, the ACL
changed, or the device rebooted.
Extended ACLs support comments. I include a date, a name, and a
couple of words as to why the following rule exists. Audit loves
this, CCIE's hate it.
Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Joe Mazzotti: "[fw-wiz] SSL VPN vs. IPSec VPN"
- In reply to: Mark Teicher: "RE: [fw-wiz] Cisco acls"
- Next in thread: Steve Saeedi: "Re: [fw-wiz] Cisco acls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
