List Info

Thread: ACL Clean-up
ACL Clean-up
user name
 2005-12-28 02:53:04 

  


  

    


What we do is contact the groups responsible for the devices the ACLs
allow access to, and in English explain them to what the ACL does. Give
them a certain deadline (2 weeks) and if you don't hear anything,
remove the ACL, making sure to CC the correct people with an update on
your changes.



You can use the 'inactive' command in PIX 7.0 to turn off a command,
instead of erasing it.

You can clear the counters on the ACLs, wait  two weeks and see which
have a hitcount of zero.



The biggest thing is people, making sure enough people are notified
that if something important does get turned off, someone can remember
that you disabled the ACL!



- Nic.



brianahardy wrote:

eGroups.com" type="cite">
We have several pix's scattered around our network, most of which have 

several hundred to thousands of ACL entries.

  

I started to track hit counts and found that there were hundreds of 

entries with hitcnt=0.  What would be the simplest/best methodology for;

  

1:  Determining which ACL entries can be deleted

2:  Process for deleting/disabling the entries for a period of time 

(week? month?) so they can readily be put back into place if someone 

complains.

  

Has anyone gone through this process?  If so, what methods did you use 

and what problems should I be looking out for?

  

Thanks

Brian

  

  

  

  

  

  






  





  

  
  
   
     
    






 [1]











   
 





about | contact  Other archives ( Real Estate discussion Medical topics )