Script to find Unused IOS ACLs

hypnotoadhypnotoad Banned Posts: 915
I have a rather large IOS config and want to automatically find which ACLs are unused for anything. Can this be automated? I found a utility in perl from 2004 that doesn't like more modern IOS syntax.

Any ideas?

Thanks..
HT

Comments

  • chrisonechrisone Senior Member Member Posts: 2,198 ■■■■■■■■■□
    Not really sure man. In all honesty anything automated to your ACLs sounds highly risky! Such tasks shouldnt even be applied unless under a downtime window with certain amount of time. Also i would have a backup config downloaded from the device using tftp as well.

    Your best bet would be to check on the hit counts on the ACLs. Do them in chunks of 30 or 50 ACLs at a time. Copy and paste them into notepad along with their hit count and monitor the hits for a week. On the ones you get no hits on, notify management of the deletion with a change control form, that is if your company has those policies in place. Either way if you company doesnt do change request forms, i would still do it anyways to cover your own ass.

    I hope this helps.
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2021 Goals
    Courses: eLearnSecurity - PTXv2 (complete), SANS 699: Purple Team Tactics (completed), PentesterLabs Pro (ongoing)
    Certs: eCPTXv2, CRTE, AZ-500, SC-200 (March 5th)
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Have you looked at these shell scripts?

    John Kristoff - Software

    Might be the same older script you are talking about? You could probably update it with the proper syntax on your own if so.
    An expert is a man who has made all the mistakes which can be made.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    chrisone wrote: »
    Not really sure man. In all honesty anything automated to your ACLs sounds highly risky! Such tasks shouldnt even be applied unless under a downtime window with certain amount of time. Also i would have a backup config downloaded from the device using tftp as well.

    Your best bet would be to check on the hit counts on the ACLs. Do them in chunks of 30 or 50 ACLs at a time. Copy and paste them into notepad along with their hit count and monitor the hits for a week. On the ones you get no hits on, notify management of the deletion with a change control form, that is if your company has those policies in place. Either way if you company doesnt do change request forms, i would still do it anyways to cover your own ass.

    I hope this helps.

    I don't see how running a script against a stored config file would have much impact on the network.
    An expert is a man who has made all the mistakes which can be made.
  • ConstantlyLearningConstantlyLearning Member Posts: 445
    In ASA, I manually monitor and remove ACL's with a hitcount of zero.

    'show access-list ACCESS_LIST | include hitcnt=0'
    "There are 3 types of people in this world, those who can count and those who can't"
  • chrisonechrisone Senior Member Member Posts: 2,198 ■■■■■■■■■□
    I don't see how running a script against a stored config file would have much impact on the network.

    Whether the changes happen off the router or not, in the end it will impact the way the router functions right? that config will end up being stored on a production environment router. I suggest looking at the hit counts and verifying if the ACLs you want to remove are not being used.
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2021 Goals
    Courses: eLearnSecurity - PTXv2 (complete), SANS 699: Purple Team Tactics (completed), PentesterLabs Pro (ongoing)
    Certs: eCPTXv2, CRTE, AZ-500, SC-200 (March 5th)
  • networker050184networker050184 Mod Posts: 11,962 Mod
    chrisone wrote: »
    I suggest looking at the hit counts and verifying if the ACLs you want to remove are not being used.

    What happens if one of the ACLs is there in a "just in case" scenario and doesn't have hits during normal production? If you are using a 6500/7600 or other distributed platforms your hits in show access-list aren't going to be accurate anyway. Thats why its better to check if they are actually applied in the config. A script can also be run with little effort if you have a lot of configs to check over.
    An expert is a man who has made all the mistakes which can be made.
  • chrisonechrisone Senior Member Member Posts: 2,198 ■■■■■■■■■□
    What happens if one of the ACLs is there in a "just in case" scenario and doesn't have hits during normal production? If you are using a 6500/7600 or other distributed platforms your hits in show access-list aren't going to be accurate anyway. Thats why its better to check if they are actually applied in the config. A script can also be run with little effort if you have a lot of configs to check over.

    Not sure what you mean by hits not being accurate, never came across that problem. Could be a bug of some sorts on the IOS you were running. I am also assuming you meant to check if the ACL were applied, meaning if they were applied to an interface? If so i don't know how else you would verify if an ACL were in use or "applied" by the hit count or either by old documentation regarding a scenario with the "just in case" situation.

    At that point "just in case" scenarios are a huge mistake unless you have a remark/description for the "just in case" ACL. We place remarks/descriptions on ALL our ACLs in production, we eliminate "just in case" scenarios, i would suggest everyone to do the same. You wont come into this problem when you are doing ACL clean ups. At least with a description you can see why the ACL was in place and then you can verify if it is still needed. I see a just in case ACL without a remark/description as a big NO NO.

    Anyways this is my experience with this sort of situation, like i always say, its not 100% nor is it the right or wrong way. Just another method to a situation.

    GL hypnotoad, between networker and I , we both provided enough information to help you out....i hope hahaha
    Certs: CISSP, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, AZ-900, VHL:Advanced+, Retired Cisco CCNP/SP/DP
    2021 Goals
    Courses: eLearnSecurity - PTXv2 (complete), SANS 699: Purple Team Tactics (completed), PentesterLabs Pro (ongoing)
    Certs: eCPTXv2, CRTE, AZ-500, SC-200 (March 5th)
  • networker050184networker050184 Mod Posts: 11,962 Mod
    chrisone wrote: »
    Not sure what you mean by hits not being accurate, never came across that problem. Could be a bug of some sorts on the IOS you were running. I am also assuming you meant to check if the ACL were applied, meaning if they were applied to an interface? If so i don't know how else you would verify if an ACL were in use or "applied" by the hit count or either by old documentation regarding a scenario with the "just in case" situation.

    Easy, you grab the running configs and run a script like posted above against it.
    chrisone wrote: »
    At that point "just in case" scenarios are a huge mistake unless you have a remark/description for the "just in case" ACL. We place remarks/descriptions on ALL our ACLs in production, we eliminate "just in case" scenarios, i would suggest everyone to do the same. You wont come into this problem when you are doing ACL clean ups. At least with a description you can see why the ACL was in place and then you can verify if it is still needed. I see a just in case ACL without a remark/description as a big NO NO.

    Well of course everyone sets out to keep all remarks and documentation accurate, but face it, something is going to get out of date eventually if you have enough devices. There is no perfect system when humans are involved.
    chrisone wrote: »
    GL hypnotoad, between networker and I , we both provided enough information to help you out....i hope hahaha

    Yep, hopefully you can work something out with the script or at least some show commands to get you sorted.
    An expert is a man who has made all the mistakes which can be made.
  • AhriakinAhriakin SupremeNetworkOverlord Member Posts: 1,799 ■■■■■■■■□□
    chrisone wrote: »
    Not sure what you mean by hits not being accurate, never came across that problem. Could be a bug of some sorts on the IOS you were running. I am also assuming you meant to check if the ACL were applied, meaning if they were applied to an interface?

    I think he means that on some hardware combinations the ACLs are processed by the line cards, there is a separate command to view hits on these (can't for the life of me remember it though icon_redface.gif ). I think it's essentially modifying the show command to look at the TCAMs. Do a quick google or poke around Cisco Docs and you should find it.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • hypnotoadhypnotoad Banned Posts: 915
    Thanks guys. I don't plan on playing with the ACLs on the live system...I just inherited this project from some guy who loved ACLs a little too much, but I plan to keep it safe :)
  • networker050184networker050184 Mod Posts: 11,962 Mod
    Ahriakin wrote: »
    I think he means that on some hardware combinations the ACLs are processed by the line cards, there is a separate command to view hits on these (can't for the life of me remember it though icon_redface.gif ). I think it's essentially modifying the show command to look at the TCAMs. Do a quick google or poke around Cisco Docs and you should find it.

    Something along the lines of show tcam count interface interface acl. Close to that anyway.
    An expert is a man who has made all the mistakes which can be made.
Sign In or Register to comment.