cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

access-list checker

11784
Views
5
Helpful
2
Comments

Access-list Checking Tool

 https://cway.cisco.com/tools/accesslist/

Tool Description

  • The tool compares a SRC/DST IP+Port and checks to see if there is a matching entry in a Cisco IOS/NXOS access list.

access-list tool

Sample Test Input Data:

Extended IP access list test-acl
    10 permit ip any range 1024 2048 host 192.168.1.2 eq 80
    20 permit ip 192.168.0.0/0 10.66.85.0 0.0.0.255
    25 permit ip host 192.168.5.5 10.0.0.0 0.0.0.255
    40 permit tcp host 10.66.86.1 lt 65530 any eq 22
    40 permit tcp any host 192.168.1.2 eq 80
    30 permit ip 10.66.86.0 0.0.0.255 gt 1024 192.168.1.0 0.0.0.255
    50 permit ip any any
    41 permit tcp 10.1.1.0 0.0.0.255 eq 80 192.168.0.0 0.0.0.255
    42 permit tcp host 10.66.86.1 gt 1024 192.168.1.2 0.0.255.0 range 0 100
    40 permit ip 10.66.85.0 0.0.255.1 192.168.0.0 0.0.255.3 eq 80
   100 permit ip 10.66.86.0 0.0.255.1 range 100 23000 192.168.0.0/16 eq 80


Source IP - 10.66.86.1
Source Port - 23001
Destination IP - 192.168.1.2
Destination Port - 80

Use Cases

  • Checking quickly and accurately to see which entry in an ACL matches a flow. This can be difficult and error prone when performed manually during troubleshooting.

 

Technology

  • IOS, IOS-XE, NXOS

Guidelines

  • Tool ignores protocol types (e.g, IP, TCP, UDP)
  • ACL entries MUST begin with a number (see test input data above)
  • Tool does not support ACLs with following entries (please remove them from the ACL before using):
    • object-groups, addrgroup, portgroup
    • TCP options/flags (syn, ack, rst, established, fin, psh, etc)
    • ICMP flags (echo-reply, unreachable, ttl-exceeded, etc)
    • capture, dscp, fragments, log, packet-length, precedence, time-range, urg
  • Do not support IPv6

Feedback/Bug reports are always welcome!

ciscocom-apps-access-list-checker@cisco.com

Comments
GSA Beginner
Beginner

ACLcheck utility (beta version)

https://www.youtube.com/watch?v=e31Uz46AKn0

Beginner

My new app, "Network Mom ACL Analyzer", is now in the MacOS 10.14 App Store. It analyzes IOS, IOS-XR, NX-OS, and ASA IPv4 security ACLs:

  1. It finds many types of syntax errors
  2. It finds wildcards that are not on a proper subnet boundary
  3. It warns about CIDRs that are not properly aligned
  4. It finds lines which match a specific TCP/UDP socket in an ACL
  5. It finds "duplicate" ACL lines.

A "duplicate" ACL line is where the earlier line is a strict superset of the later line.  This could indicate that the later line is not needed.  Or it could indicate that the earlier line is "too broad"(every line is a duplicate of "permit ip any any").  While the tool reports the duplicates, you need to use your judgement to verify it and decide the correct course of action.

- Darrell

CCIE Emeritus #8302

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards