Showing results for 
Search instead for 
Did you mean: 

access-list checker


Access-list Checking Tool

Tool Description

  • The tool compares a SRC/DST IP+Port and checks to see if there is a matching entry in a Cisco IOS/NXOS access list.

access-list tool

Sample Test Input Data:

Extended IP access list test-acl
    10 permit ip any range 1024 2048 host eq 80
    20 permit ip
    25 permit ip host
    40 permit tcp host lt 65530 any eq 22
    40 permit tcp any host eq 80
    30 permit ip gt 1024
    50 permit ip any any
    41 permit tcp eq 80
    42 permit tcp host gt 1024 range 0 100
    40 permit ip eq 80
   100 permit ip range 100 23000 eq 80

Source IP -
Source Port - 23001
Destination IP -
Destination Port - 80

Use Cases

  • Checking quickly and accurately to see which entry in an ACL matches a flow. This can be difficult and error prone when performed manually during troubleshooting.





  • Tool ignores protocol types (e.g, IP, TCP, UDP)
  • ACL entries MUST begin with a number (see test input data above)
  • Tool does not support ACLs with following entries (please remove them from the ACL before using):
    • object-groups, addrgroup, portgroup
    • TCP options/flags (syn, ack, rst, established, fin, psh, etc)
    • ICMP flags (echo-reply, unreachable, ttl-exceeded, etc)
    • capture, dscp, fragments, log, packet-length, precedence, time-range, urg
  • Do not support IPv6

Feedback/Bug reports are always welcome!

GSA Beginner

ACLcheck utility (beta version)


My new app, "Network Mom ACL Analyzer", is now in the MacOS 10.14 App Store. It analyzes IOS, IOS-XR, NX-OS, and ASA IPv4 security ACLs:

  1. It finds many types of syntax errors
  2. It finds wildcards that are not on a proper subnet boundary
  3. It warns about CIDRs that are not properly aligned
  4. It finds lines which match a specific TCP/UDP socket in an ACL
  5. It finds "duplicate" ACL lines.

A "duplicate" ACL line is where the earlier line is a strict superset of the later line.  This could indicate that the later line is not needed.  Or it could indicate that the earlier line is "too broad"(every line is a duplicate of "permit ip any any").  While the tool reports the duplicates, you need to use your judgement to verify it and decide the correct course of action.

- Darrell

CCIE Emeritus #8302

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards