Thursday, March 10, 2016

dt_aclcheck - Find a match in extended access list.

Some ACLs are short, some ACLs are really long!





Here is a question, would any to 8.7.109.176 port 443 match any of the ACEs?

With dt_aclcheck.tcl, it is easy:

IOU1#tclsh unix:dt_aclcheck.tcl 100 tcp any 8.7.109.176 1234 443
01
    950 permit tcp any host 8.7.109.176 eq 443
    4040 permit tcp any any established



How about icmp?

IOU1#tclsh unix:dt_aclcheck.tcl 100 icmp any any
01
    4010 deny icmp any any echo
    4020 deny icmp any any traceroute log
    4030 permit icmp any any
    4160 deny ip any any


Here is the syntax for the command:

IOU1#tclsh unix:dt_aclcheck.tcl                
Usage - dt_aclMatch.tcl <acl_name> <protocol> <source IP> <destination IP> [source port] [destination port]


Grab the file HERE, and upload it to the router. Enjoy!

And let me know if you need any help with this.