Script to find Unused IOS ACLs
I have a rather large IOS config and want to automatically find which ACLs are unused for anything. Can this be automated? I found a utility in perl from 2004 that doesn't like more modern IOS syntax.
Any ideas?
Thanks..
HT
Any ideas?
Thanks..
HT
Comments
-
chrisone Member Posts: 2,278 ■■■■■■■■■□Not really sure man. In all honesty anything automated to your ACLs sounds highly risky! Such tasks shouldnt even be applied unless under a downtime window with certain amount of time. Also i would have a backup config downloaded from the device using tftp as well.
Your best bet would be to check on the hit counts on the ACLs. Do them in chunks of 30 or 50 ACLs at a time. Copy and paste them into notepad along with their hit count and monitor the hits for a week. On the ones you get no hits on, notify management of the deletion with a change control form, that is if your company has those policies in place. Either way if you company doesnt do change request forms, i would still do it anyways to cover your own ass.
I hope this helps.Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
networker050184 Mod Posts: 11,962 ModHave you looked at these shell scripts?
John Kristoff - Software
Might be the same older script you are talking about? You could probably update it with the proper syntax on your own if so.An expert is a man who has made all the mistakes which can be made. -
networker050184 Mod Posts: 11,962 ModNot really sure man. In all honesty anything automated to your ACLs sounds highly risky! Such tasks shouldnt even be applied unless under a downtime window with certain amount of time. Also i would have a backup config downloaded from the device using tftp as well.
Your best bet would be to check on the hit counts on the ACLs. Do them in chunks of 30 or 50 ACLs at a time. Copy and paste them into notepad along with their hit count and monitor the hits for a week. On the ones you get no hits on, notify management of the deletion with a change control form, that is if your company has those policies in place. Either way if you company doesnt do change request forms, i would still do it anyways to cover your own ass.
I hope this helps.
I don't see how running a script against a stored config file would have much impact on the network.An expert is a man who has made all the mistakes which can be made. -
ConstantlyLearning Member Posts: 445In ASA, I manually monitor and remove ACL's with a hitcount of zero.
'show access-list ACCESS_LIST | include hitcnt=0'"There are 3 types of people in this world, those who can count and those who can't" -
chrisone Member Posts: 2,278 ■■■■■■■■■□networker050184 wrote: »I don't see how running a script against a stored config file would have much impact on the network.
Whether the changes happen off the router or not, in the end it will impact the way the router functions right? that config will end up being stored on a production environment router. I suggest looking at the hit counts and verifying if the ACLs you want to remove are not being used.Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
networker050184 Mod Posts: 11,962 ModI suggest looking at the hit counts and verifying if the ACLs you want to remove are not being used.
What happens if one of the ACLs is there in a "just in case" scenario and doesn't have hits during normal production? If you are using a 6500/7600 or other distributed platforms your hits in show access-list aren't going to be accurate anyway. Thats why its better to check if they are actually applied in the config. A script can also be run with little effort if you have a lot of configs to check over.An expert is a man who has made all the mistakes which can be made. -
chrisone Member Posts: 2,278 ■■■■■■■■■□networker050184 wrote: »What happens if one of the ACLs is there in a "just in case" scenario and doesn't have hits during normal production? If you are using a 6500/7600 or other distributed platforms your hits in show access-list aren't going to be accurate anyway. Thats why its better to check if they are actually applied in the config. A script can also be run with little effort if you have a lot of configs to check over.
Not sure what you mean by hits not being accurate, never came across that problem. Could be a bug of some sorts on the IOS you were running. I am also assuming you meant to check if the ACL were applied, meaning if they were applied to an interface? If so i don't know how else you would verify if an ACL were in use or "applied" by the hit count or either by old documentation regarding a scenario with the "just in case" situation.
At that point "just in case" scenarios are a huge mistake unless you have a remark/description for the "just in case" ACL. We place remarks/descriptions on ALL our ACLs in production, we eliminate "just in case" scenarios, i would suggest everyone to do the same. You wont come into this problem when you are doing ACL clean ups. At least with a description you can see why the ACL was in place and then you can verify if it is still needed. I see a just in case ACL without a remark/description as a big NO NO.
Anyways this is my experience with this sort of situation, like i always say, its not 100% nor is it the right or wrong way. Just another method to a situation.
GL hypnotoad, between networker and I , we both provided enough information to help you out....i hope hahahaCerts: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
networker050184 Mod Posts: 11,962 ModNot sure what you mean by hits not being accurate, never came across that problem. Could be a bug of some sorts on the IOS you were running. I am also assuming you meant to check if the ACL were applied, meaning if they were applied to an interface? If so i don't know how else you would verify if an ACL were in use or "applied" by the hit count or either by old documentation regarding a scenario with the "just in case" situation.
Easy, you grab the running configs and run a script like posted above against it.At that point "just in case" scenarios are a huge mistake unless you have a remark/description for the "just in case" ACL. We place remarks/descriptions on ALL our ACLs in production, we eliminate "just in case" scenarios, i would suggest everyone to do the same. You wont come into this problem when you are doing ACL clean ups. At least with a description you can see why the ACL was in place and then you can verify if it is still needed. I see a just in case ACL without a remark/description as a big NO NO.
Well of course everyone sets out to keep all remarks and documentation accurate, but face it, something is going to get out of date eventually if you have enough devices. There is no perfect system when humans are involved.GL hypnotoad, between networker and I , we both provided enough information to help you out....i hope hahaha
Yep, hopefully you can work something out with the script or at least some show commands to get you sorted.An expert is a man who has made all the mistakes which can be made. -
Ahriakin Member Posts: 1,799 ■■■■■■■■□□Not sure what you mean by hits not being accurate, never came across that problem. Could be a bug of some sorts on the IOS you were running. I am also assuming you meant to check if the ACL were applied, meaning if they were applied to an interface?
I think he means that on some hardware combinations the ACLs are processed by the line cards, there is a separate command to view hits on these (can't for the life of me remember it though ). I think it's essentially modifying the show command to look at the TCAMs. Do a quick google or poke around Cisco Docs and you should find it.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
hypnotoad Banned Posts: 915Thanks guys. I don't plan on playing with the ACLs on the live system...I just inherited this project from some guy who loved ACLs a little too much, but I plan to keep it safe
-
networker050184 Mod Posts: 11,962 ModI think he means that on some hardware combinations the ACLs are processed by the line cards, there is a separate command to view hits on these (can't for the life of me remember it though ). I think it's essentially modifying the show command to look at the TCAMs. Do a quick google or poke around Cisco Docs and you should find it.
Something along the lines of show tcam count interface interface acl. Close to that anyway.An expert is a man who has made all the mistakes which can be made.