cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

access-list checker

10446
Views
5
Helpful
1
Comments

Access-list Checking Tool

 https://cway.cisco.com/tools/accesslist/

Tool Description

  • The tool compares a SRC/DST IP+Port and checks to see if there is a matching entry in a Cisco IOS/NXOS access list.

access-list tool

Sample Test Input Data:

Extended IP access list test-acl
    10 permit ip any range 1024 2048 host 192.168.1.2 eq 80
    20 permit ip 192.168.0.0/0 10.66.85.0 0.0.0.255
    25 permit ip host 192.168.5.5 10.0.0.0 0.0.0.255
    40 permit tcp host 10.66.86.1 lt 65530 any eq 22
    40 permit tcp any host 192.168.1.2 eq 80
    30 permit ip 10.66.86.0 0.0.0.255 gt 1024 192.168.1.0 0.0.0.255
    50 permit ip any any
    41 permit tcp 10.1.1.0 0.0.0.255 eq 80 192.168.0.0 0.0.0.255
    42 permit tcp host 10.66.86.1 gt 1024 192.168.1.2 0.0.255.0 range 0 100
    40 permit ip 10.66.85.0 0.0.255.1 192.168.0.0 0.0.255.3 eq 80
   100 permit ip 10.66.86.0 0.0.255.1 range 100 23000 192.168.0.0/16 eq 80


Source IP - 10.66.86.1
Source Port - 23001
Destination IP - 192.168.1.2
Destination Port - 80

Use Cases

  • Checking quickly and accurately to see which entry in an ACL matches a flow. This can be difficult and error prone when performed manually during troubleshooting.

 

Technology

  • IOS, IOS-XE, NXOS

Guidelines

  • Tool ignores protocol types (e.g, IP, TCP, UDP)
  • ACL entries MUST begin with a number (see test input data above)
  • Tool does not support ACLs with following entries (please remove them from the ACL before using):
    • object-groups, addrgroup, portgroup
    • TCP options/flags (syn, ack, rst, established, fin, psh, etc)
    • ICMP flags (echo-reply, unreachable, ttl-exceeded, etc)
    • capture, dscp, fragments, log, packet-length, precedence, time-range, urg
  • Do not support IPv6

Feedback/Bug reports are always welcome!

ciscocom-apps-access-list-checker@cisco.com

Comments
GSA Beginner
Beginner

ACLcheck utility (beta version)

https://www.youtube.com/watch?v=e31Uz46AKn0

CreatePlease to create content
Content for Community-Ad