I have been looking at acl management s/w in the freecode space and I can find
lots of tools which manage/distribute and test ACLs in routers.
I'm wondering if anyone has written a parser which can construct rule-trees and
get rid of the cruft, unusable, order-misorder and other issues in a large ACL
pool?
Its possible this is NP in the wider sense, but even a partial improvement
would be useful
something which can take a couple of hundred basic and extended ACLs and tell
you
these <ten> don't work
these <twenty> conflict
the remaining <x> have a sequence and can reduce to this basic <x-y> set
(we've got the usual "acquisition of rule by accretion" problem across 4
edge/core routers with a mix of public facing, internal, WiFi, guest rules, and
I hate to think this is either start from scratch, or intractable. The evidence
is that its FRAGILE)
-G
