Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
41507
Views
5
Helpful
5
Comments

access-list checker

Jae Hak Kim
Cisco Employee
Cisco Employee

‎07-06-2016 03:32 AM - edited ‎03-01-2019 05:07 PM

Access-list Checking Tool

 https://cway.cisco.com/tools/accesslist/

Tool Description

  • The tool compares a SRC/DST IP+Port and checks to see if there is a matching entry in a Cisco IOS/NXOS access list.

access-list tool

Sample Test Input Data:

Extended IP access list test-acl
    10 permit ip any range 1024 2048 host 192.168.1.2 eq 80
    20 permit ip 192.168.0.0/0 10.66.85.0 0.0.0.255
    25 permit ip host 192.168.5.5 10.0.0.0 0.0.0.255
    40 permit tcp host 10.66.86.1 lt 65530 any eq 22
    40 permit tcp any host 192.168.1.2 eq 80
    30 permit ip 10.66.86.0 0.0.0.255 gt 1024 192.168.1.0 0.0.0.255
    50 permit ip any any
    41 permit tcp 10.1.1.0 0.0.0.255 eq 80 192.168.0.0 0.0.0.255
    42 permit tcp host 10.66.86.1 gt 1024 192.168.1.2 0.0.255.0 range 0 100
    40 permit ip 10.66.85.0 0.0.255.1 192.168.0.0 0.0.255.3 eq 80
   100 permit ip 10.66.86.0 0.0.255.1 range 100 23000 192.168.0.0/16 eq 80


Source IP - 10.66.86.1
Source Port - 23001
Destination IP - 192.168.1.2
Destination Port - 80

Use Cases

  • Checking quickly and accurately to see which entry in an ACL matches a flow. This can be difficult and error prone when performed manually during troubleshooting.

 

Technology

  • IOS, IOS-XE, NXOS

Guidelines

  • Tool ignores protocol types (e.g, IP, TCP, UDP)
  • ACL entries MUST begin with a number (see test input data above)
  • Tool does not support ACLs with following entries (please remove them from the ACL before using):
    • object-groups, addrgroup, portgroup
    • TCP options/flags (syn, ack, rst, established, fin, psh, etc)
    • ICMP flags (echo-reply, unreachable, ttl-exceeded, etc)
    • capture, dscp, fragments, log, packet-length, precedence, time-range, urg
  • Do not support IPv6

Feedback/Bug reports are always welcome!

ciscocom-apps-access-list-checker@cisco.com

Labels:
Preview file
35 KB
Comments
GSA
Level 1
Level 1
‎06-07-2018 10:39 PM

ACLcheck utility (beta version)

https://www.youtube.com/watch?v=e31Uz46AKn0

daroot
Level 1
Level 1
‎07-27-2019 06:52 PM

My new app, "Network Mom ACL Analyzer", is now in the MacOS 10.14 App Store. It analyzes IOS, IOS-XR, NX-OS, and ASA IPv4 security ACLs:

  1. It finds many types of syntax errors
  2. It finds wildcards that are not on a proper subnet boundary
  3. It warns about CIDRs that are not properly aligned
  4. It finds lines which match a specific TCP/UDP socket in an ACL
  5. It finds "duplicate" ACL lines.

A "duplicate" ACL line is where the earlier line is a strict superset of the later line.  This could indicate that the later line is not needed.  Or it could indicate that the earlier line is "too broad"(every line is a duplicate of "permit ip any any").  While the tool reports the duplicates, you need to use your judgement to verify it and decide the correct course of action.

- Darrell

CCIE Emeritus #8302

psafarik
Level 1
Level 1
‎09-29-2022 05:52 AM

Unfortunatelly it doesn't work for IOS-XR.  Do you plan to update this tool for IOS-XR as well ?

daroot
Level 1
Level 1
‎09-29-2022 08:51 AM

@psafarik : My "Network Mom ACL Analyzer" in the macOS App Store (for $10 "lunch money") supports IOS-XR.  If your problem is with my analyzer I'd love to see an ACL sample to troubleshoot (email: feedback AT networkmom.net).  If your problem is with the original poster's tool my tool is an alternative. I have a demo video up at https://youtube.com/watch?v=KITTaPnSx_c&feature=share&utm_source=EKLEiJECCKjOmKnC5IiRIQ - Darrell

GSA
Level 1
Level 1
‎09-29-2022 08:40 PM

Could you show your IOS-XR ACL sample for diagnostic purposes?
I recommend trying this tool: https://aclcheck.ru/en/

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card