cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
38182
Views
5
Helpful
5
Comments
Jae Hak Kim
Cisco Employee
Cisco Employee

Access-list Checking Tool

 https://cway.cisco.com/tools/accesslist/

Tool Description

  • The tool compares a SRC/DST IP+Port and checks to see if there is a matching entry in a Cisco IOS/NXOS access list.

access-list tool

Sample Test Input Data:

Extended IP access list test-acl
    10 permit ip any range 1024 2048 host 192.168.1.2 eq 80
    20 permit ip 192.168.0.0/0 10.66.85.0 0.0.0.255
    25 permit ip host 192.168.5.5 10.0.0.0 0.0.0.255
    40 permit tcp host 10.66.86.1 lt 65530 any eq 22
    40 permit tcp any host 192.168.1.2 eq 80
    30 permit ip 10.66.86.0 0.0.0.255 gt 1024 192.168.1.0 0.0.0.255
    50 permit ip any any
    41 permit tcp 10.1.1.0 0.0.0.255 eq 80 192.168.0.0 0.0.0.255
    42 permit tcp host 10.66.86.1 gt 1024 192.168.1.2 0.0.255.0 range 0 100
    40 permit ip 10.66.85.0 0.0.255.1 192.168.0.0 0.0.255.3 eq 80
   100 permit ip 10.66.86.0 0.0.255.1 range 100 23000 192.168.0.0/16 eq 80


Source IP - 10.66.86.1
Source Port - 23001
Destination IP - 192.168.1.2
Destination Port - 80

Use Cases

  • Checking quickly and accurately to see which entry in an ACL matches a flow. This can be difficult and error prone when performed manually during troubleshooting.

 

Technology

  • IOS, IOS-XE, NXOS

Guidelines

  • Tool ignores protocol types (e.g, IP, TCP, UDP)
  • ACL entries MUST begin with a number (see test input data above)
  • Tool does not support ACLs with following entries (please remove them from the ACL before using):
    • object-groups, addrgroup, portgroup
    • TCP options/flags (syn, ack, rst, established, fin, psh, etc)
    • ICMP flags (echo-reply, unreachable, ttl-exceeded, etc)
    • capture, dscp, fragments, log, packet-length, precedence, time-range, urg
  • Do not support IPv6

Feedback/Bug reports are always welcome!

ciscocom-apps-access-list-checker@cisco.com

Comments
GSA
Level 1
Level 1

ACLcheck utility (beta version)

https://www.youtube.com/watch?v=e31Uz46AKn0

daroot
Level 1
Level 1

My new app, "Network Mom ACL Analyzer", is now in the MacOS 10.14 App Store. It analyzes IOS, IOS-XR, NX-OS, and ASA IPv4 security ACLs:

  1. It finds many types of syntax errors
  2. It finds wildcards that are not on a proper subnet boundary
  3. It warns about CIDRs that are not properly aligned
  4. It finds lines which match a specific TCP/UDP socket in an ACL
  5. It finds "duplicate" ACL lines.

A "duplicate" ACL line is where the earlier line is a strict superset of the later line.  This could indicate that the later line is not needed.  Or it could indicate that the earlier line is "too broad"(every line is a duplicate of "permit ip any any").  While the tool reports the duplicates, you need to use your judgement to verify it and decide the correct course of action.

- Darrell

CCIE Emeritus #8302

psafarik
Level 1
Level 1

Unfortunatelly it doesn't work for IOS-XR.  Do you plan to update this tool for IOS-XR as well ?

daroot
Level 1
Level 1

@psafarik : My "Network Mom ACL Analyzer" in the macOS App Store (for $10 "lunch money") supports IOS-XR.  If your problem is with my analyzer I'd love to see an ACL sample to troubleshoot (email: feedback AT networkmom.net).  If your problem is with the original poster's tool my tool is an alternative. I have a demo video up at https://youtube.com/watch?v=KITTaPnSx_c&feature=share&utm_source=EKLEiJECCKjOmKnC5IiRIQ - Darrell

GSA
Level 1
Level 1

Could you show your IOS-XR ACL sample for diagnostic purposes?
I recommend trying this tool: https://aclcheck.ru/en/

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: