I work for a big telecom company. Myself and another guy maintain 2million lines of ACLs for 300million subscribers + internal traffic. Everything was cool until we migrated to pronghorn to make the life easier. But it turned into hell... There is no way to compare an ACL after a change. We used to use kdiff which was showing all the differences nicely. Pronghorn is a cisco company and working on NSO. When it generates ACL, it does summarization and randomize all the IPs if you set up a pool of IPs that are belong to same ACL rule. It could probably work OK, if we did a line by line translation and create an IP for every single pool, but that would have taken forever to migrate the size of ACLs we have. We have ACLs as big as 25000 lines or even more. So we had to create a pool of IPs, if there was a common rule from or to same source, destination IP or port. This wont be fixed until next phase of the software development which will take at least 1.5-2 years. With the speed t hey completed thus far, I am not even hopeful for 3 years.
So is there anything out there to analyze 2 ACL and display the difference. I am not looking for a diff checker type of program. Something like do line by line analysis and see if the current line covered by any of the line in the other ACL. Needs to detect summarization, change in the line orders etc... May be something even paid, if worth it, I can convince my boss to pay for it. I thought about developing one myself, but it would take years since I have to re-teach myself python since I didnt touch progamming for years and do it slowly when I have free time at home or work.
No comments:
Post a Comment