On Wed, Aug 18, 2010 at 8:47 PM, Dobbins, Roland <rdobb...@arbor.net> wrote: > > On Aug 19, 2010, at 7:38 AM, George Michaelson wrote: > >> (we've got the usual "acquisition of rule by accretion" problem across 4 >> edge/core routers with a mix of public facing, internal, WiFi, guest rules, >> and I hate to think this is either start from scratch, or intractable. The >> evidence is that its FRAGILE) > > Attempts by various commercial solutions aside, there isn't really a > workable, usable, scalable and reliable automated way to do this, AFAIK; > apart from the complexity of the task itself, platform-specific ACL handling > complicates matters further. > > To begin getting a handle on your ACLs, implement some form of revision > control (RCS, CVS, subversion, whatever), and then work to modularize the > ACLs by function: > > <https://files.me.com/roland.dobbins/prguob> > > Then take a look at whether the ACLs in question all actually belong on the > edge, or whether it makes sense to break them out and instantiate the > relevant policies at various points within the topology.
a plug for some google-peeps: <http://code.google.com/p/capirca/> potentially once you make the definitions/policy-files you can use the proto-language to sort through your mess in a saner fashion. a nice aside is you can also create (from the same policy file) cisco/juniper/iptables configurations. (tony/pete really did a nice job on this) -chris > ----------------------------------------------------------------------- > Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> > > Injustice is relatively easy to bear; what stings is justice. > > -- H.L. Mencken > > > > >