I have been looking at acl management s/w in the freecode space and I can find lots of tools which manage/distribute and test ACLs in routers. I'm wondering if anyone has written a parser which can construct rule-trees and get rid of the cruft, unusable, order-misorder and other issues in a large ACL pool? Its possible this is NP in the wider sense, but even a partial improvement would be useful something which can take a couple of hundred basic and extended ACLs and tell you these <ten> don't work these <twenty> conflict the remaining <x> have a sequence and can reduce to this basic <x-y> set (we've got the usual "acquisition of rule by accretion" problem across 4 edge/core routers with a mix of public facing, internal, WiFi, guest rules, and I hate to think this is either start from scratch, or intractable. The evidence is that its FRAGILE) -G