Thursday, March 10, 2016

dt_aclcheck - Find a match in extended access list.

Some ACLs are short, some ACLs are really long!

Here is a question, would any to port 443 match any of the ACEs?

With dt_aclcheck.tcl, it is easy:

IOU1#tclsh unix:dt_aclcheck.tcl 100 tcp any 1234 443
    950 permit tcp any host eq 443
    4040 permit tcp any any established

How about icmp?

IOU1#tclsh unix:dt_aclcheck.tcl 100 icmp any any
    4010 deny icmp any any echo
    4020 deny icmp any any traceroute log
    4030 permit icmp any any
    4160 deny ip any any

Here is the syntax for the command:

IOU1#tclsh unix:dt_aclcheck.tcl                
Usage - dt_aclMatch.tcl <acl_name> <protocol> <source IP> <destination IP> [source port] [destination port]

Grab the file HERE, and upload it to the router. Enjoy!

And let me know if you need any help with this.