Script to find Unused IOS ACLs

I have a rather large IOS config and want to automatically find which ACLs are unused for anything. Can this be automated? I found a utility in perl from 2004 that doesn't like more modern IOS syntax.

Any ideas?

Thanks..
HT

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

chrisone

Not really sure man. In all honesty anything automated to your ACLs sounds highly risky! Such tasks shouldnt even be applied unless under a downtime window with certain amount of time. Also i would have a backup config downloaded from the device using tftp as well.

Your best bet would be to check on the hit counts on the ACLs. Do them in chunks of 30 or 50 ACLs at a time. Copy and paste them into notepad along with their hit count and monitor the hits for a week. On the ones you get no hits on, notify management of the deletion with a change control form, that is if your company has those policies in place. Either way if you company doesnt do change request forms, i would still do it anyways to cover your own ass.

I hope this helps.

networker050184

Have you looked at these shell scripts?

John Kristoff - Software

Might be the same older script you are talking about? You could probably update it with the proper syntax on your own if so.

networker050184

chrisone wrote: »

Not really sure man. In all honesty anything automated to your ACLs sounds highly risky! Such tasks shouldnt even be applied unless under a downtime window with certain amount of time. Also i would have a backup config downloaded from the device using tftp as well.

Your best bet would be to check on the hit counts on the ACLs. Do them in chunks of 30 or 50 ACLs at a time. Copy and paste them into notepad along with their hit count and monitor the hits for a week. On the ones you get no hits on, notify management of the deletion with a change control form, that is if your company has those policies in place. Either way if you company doesnt do change request forms, i would still do it anyways to cover your own ass.

I hope this helps.

I don't see how running a script against a stored config file would have much impact on the network.

ConstantlyLearning

In ASA, I manually monitor and remove ACL's with a hitcount of zero.

'show access-list ACCESS_LIST | include hitcnt=0'

chrisone

networker050184 wrote: »

I don't see how running a script against a stored config file would have much impact on the network.

Whether the changes happen off the router or not, in the end it will impact the way the router functions right? that config will end up being stored on a production environment router. I suggest looking at the hit counts and verifying if the ACLs you want to remove are not being used.

networker050184

chrisone wrote: »

I suggest looking at the hit counts and verifying if the ACLs you want to remove are not being used.

What happens if one of the ACLs is there in a "just in case" scenario and doesn't have hits during normal production? If you are using a 6500/7600 or other distributed platforms your hits in show access-list aren't going to be accurate anyway. Thats why its better to check if they are actually applied in the config. A script can also be run with little effort if you have a lot of configs to check over.

chrisone

networker050184 wrote: »

What happens if one of the ACLs is there in a "just in case" scenario and doesn't have hits during normal production? If you are using a 6500/7600 or other distributed platforms your hits in show access-list aren't going to be accurate anyway. Thats why its better to check if they are actually applied in the config. A script can also be run with little effort if you have a lot of configs to check over.

Not sure what you mean by hits not being accurate, never came across that problem. Could be a bug of some sorts on the IOS you were running. I am also assuming you meant to check if the ACL were applied, meaning if they were applied to an interface? If so i don't know how else you would verify if an ACL were in use or "applied" by the hit count or either by old documentation regarding a scenario with the "just in case" situation.

At that point "just in case" scenarios are a huge mistake unless you have a remark/description for the "just in case" ACL. We place remarks/descriptions on ALL our ACLs in production, we eliminate "just in case" scenarios, i would suggest everyone to do the same. You wont come into this problem when you are doing ACL clean ups. At least with a description you can see why the ACL was in place and then you can verify if it is still needed. I see a just in case ACL without a remark/description as a big NO NO.

Anyways this is my experience with this sort of situation, like i always say, its not 100% nor is it the right or wrong way. Just another method to a situation.

GL hypnotoad, between networker and I , we both provided enough information to help you out....i hope hahaha

networker050184

chrisone wrote: »

Not sure what you mean by hits not being accurate, never came across that problem. Could be a bug of some sorts on the IOS you were running. I am also assuming you meant to check if the ACL were applied, meaning if they were applied to an interface? If so i don't know how else you would verify if an ACL were in use or "applied" by the hit count or either by old documentation regarding a scenario with the "just in case" situation.

Easy, you grab the running configs and run a script like posted above against it.

chrisone wrote: »

At that point "just in case" scenarios are a huge mistake unless you have a remark/description for the "just in case" ACL. We place remarks/descriptions on ALL our ACLs in production, we eliminate "just in case" scenarios, i would suggest everyone to do the same. You wont come into this problem when you are doing ACL clean ups. At least with a description you can see why the ACL was in place and then you can verify if it is still needed. I see a just in case ACL without a remark/description as a big NO NO.

Well of course everyone sets out to keep all remarks and documentation accurate, but face it, something is going to get out of date eventually if you have enough devices. There is no perfect system when humans are involved.

chrisone wrote: »

GL hypnotoad, between networker and I , we both provided enough information to help you out....i hope hahaha

Yep, hopefully you can work something out with the script or at least some show commands to get you sorted.

Ahriakin

chrisone wrote: »

Not sure what you mean by hits not being accurate, never came across that problem. Could be a bug of some sorts on the IOS you were running. I am also assuming you meant to check if the ACL were applied, meaning if they were applied to an interface?

I think he means that on some hardware combinations the ACLs are processed by the line cards, there is a separate command to view hits on these (can't for the life of me remember it though

). I think it's essentially modifying the show command to look at the TCAMs. Do a quick google or poke around Cisco Docs and you should find it.

hypnotoad

Thanks guys. I don't plan on playing with the ACLs on the live system...I just inherited this project from some guy who loved ACLs a little too much, but I plan to keep it safe

networker050184

Ahriakin wrote: »

I think he means that on some hardware combinations the ACLs are processed by the line cards, there is a separate command to view hits on these (can't for the life of me remember it though ). I think it's essentially modifying the show command to look at the TCAMs. Do a quick google or poke around Cisco Docs and you should find it.

Something along the lines of show tcam count interface interface acl. Close to that anyway.