Darrell Root on Networking and Swift

Network Mom ACL Analyzer

Download on the Mac App Store

Every network engineer needs a simple tool to determine whether an access-list already permits a socket. It is also helpful to have a tool which finds "duplicate/superset" lines in existing ACLs (often these "duplicate" lines indicate that a line is matching more than the engineer expected).  

Network Mom ACL Analyzer analyzes large Cisco access-lists.  

  • It identifies lines which match a specific TCP or UDP socket.
  • It identifies later ACL lines which are strict subsets or duplicates of earlier lines.
  • It identifies common errors, including the dangerous "netmask instead of wildcard bit" error

 

The ACL Analyzer supports the following platforms:  

  • IPv4 IOS or IOS-XE
  • IPv4 IOS-XR
  • IPv4 NX-OS
  • IPv4 Arista
  • IPv6 IOS or IOS-XE
  • IPv6 IOS-XR
  • IPv6 NX-OS
  • IPv6 Arista

Example 1: IPv6 IOS ACL Analysis

  • Finds two ACLs with syntax errors
  • Finds three lines which match a specific tcp socket

 

IPv6 ACL analysis sample

Example 2: IPv4 IOS ACL Analysis

  • Warns of (syntactically correct) line where the destination IP address is not on a netmask boundary (probably not what the network engineer intended)
  • Alerts of (syntactically correct) line where the network engineer used netmask rather than wildcard (very dangerous to security!)
  • Finds 1 line which matches the configured TCP socket.

 

IPv4 ACL analysis sample

Example 3: IPv6 IOS ACL Duplicate Detection

  • Found that first line is a duplicate/superset of 4 following lines
  • Found that second line is a duplicate/superset of 3 following lines
  • Found that third line is a duplicate/superset of the 5th line

 

IPv4 ACL analysis sample

 

The ACL Analyzer respects your confidientiality

Network Mom ACL Analyzer uses Apple's notarization, app sandbox, and hardened runtime features to protect your security information. The app is not allowed to make network connections or save files outside of the application sandbox. The analyzer does not the save ACL files you analyze.  

Because the analyzer does not make network connections, it cannot perform "DNS lookups" of any hostnames in your configurations.

Tagged with: