On Wed, Aug 18, 2010 at 8:47 PM, Dobbins, Roland <rdobbins@arbor.net> wrote:
On Aug 19, 2010, at 7:38 AM, George Michaelson wrote:
(we've got the usual "acquisition of rule by accretion" problem across 4 edge/core routers with a mix of public facing, internal, WiFi, guest rules, and I hate to think this is either start from scratch, or intractable. The evidence is that its FRAGILE)
Attempts by various commercial solutions aside, there isn't really a workable, usable, scalable and reliable automated way to do this, AFAIK; apart from the complexity of the task itself, platform-specific ACL handling complicates matters further.
To begin getting a handle on your ACLs, implement some form of revision control (RCS, CVS, subversion, whatever), and then work to modularize the ACLs by function:
<https://files.me.com/roland.dobbins/prguob>
Then take a look at whether the ACLs in question all actually belong on the edge, or whether it makes sense to break them out and instantiate the relevant policies at various points within the topology.
a plug for some google-peeps: <http://code.google.com/p/capirca/> potentially once you make the definitions/policy-files you can use the proto-language to sort through your mess in a saner fashion. a nice aside is you can also create (from the same policy file) cisco/juniper/iptables configurations. (tony/pete really did a nice job on this) -chris
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken