Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $ cat refdef.sh
- #!/bin/sh
- # find IOS filters defined but not referenced and referenced but not defined
- #
- # refdef.sh config-file-1 ... config-file-N
- DEBUG=${DEBUG:-0}
- for FILE in $*
- do
- if [ ! -f $FILE ] || [ ! -r $FILE ] ; then
- echo "$FILE is not a readable file"
- continue
- fi
- awk -v extfilename="$FILE" -v debug="$DEBUG" '
- BEGIN {
- ## hack for "wr net" adding "-confg" to filename
- ##
- filename = extfilename
- if ( filename ~ /-confg$/ ) filename = substr(filename, 1, length(filename)-6)
- if ( debug>2 ) printf("extfilename=%s filename=%s\n", extfilename, filename)
- ## remove directory names - eg: /tftpboot/foo-confg becomes foo-confg
- while ( (n = index(filename, "/" )) > 0 ) {
- filename = substr(filename, n+1, length(filename)-n)
- if ( debug>4 ) print "filename(" n ") = " filename
- }
- if ( debug>2 ) printf("extfilename=%s filename=%s\n", extfilename, filename)
- # default COPP directives that are added automatically but not referenced
- # showed up in sup2t 15.1(2)SY6
- ciscoDefaultCoppUnreferenced["class-map class-copp-dhcp-snooping"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-unknown-protocol"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-receive"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-mcast-rpf-fail"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-service-insertion"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-mac-pbf"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-wccp"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-mcast-acl-bridged"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-ttl-fail"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-slb"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-mcast-ipv6-control"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-ucast-egress-acl-bridged"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-arp-snooping"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-ip-admission"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-ucast-ingress-acl-bridged"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-mtu-fail"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-options"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-mcast-ip-control"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-nd"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-glean"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-unsupp-rewrite"] = 1
- ciscoDefaultCoppUnreferenced["class-map class-copp-broadcast"] = 1
- } # end of Begin section
- /\r/ { gsub("\r", ""); } # removed any stray carriage returns
- /^!/ { next } # ignore comment lines
- ########################
- ###### referenced ######
- ## access-list
- /^ *access-class / { addAclRef("access-list", $2) } # line vty ; access-class NNN in
- /^ distribute-list [0-9]+ out /{ addAclRef("access-list", $2) } # router eigrp ; distribute-list NN out ifName
- /^ distribute-list prefix / { addAclRef("prefix-list", $3) } # router eigrp ; distribute-list prefix NNN in ifname
- /^ *ip access-group / { addAclRef("access-list", $3) } # int foo ; ip access-group NNN in
- /^ ip directed-broadcast / { addAclRef("access-list", $3) } # int foo ; ip directed-broadcast NNN
- /^ ip multicast boundary / { addAclRef("access-list", $4) } # int foo ; ip multicast boundary NNN
- /^ ip verify unicast source reachable-via rx allow-default [0-9]/ { addAclRef("access-list", $8); next }
- /^ ipv6 verify unicast source reachable-via rx / {
- n=7
- if ( $(n) == "allow-default" ) n++
- if ( NF >= n ) addAclRef("access-list", $(n))
- next
- }
- /^ *ipv6 access-class / { addAclRef("access-list", $3) } # line vty ; ipv6 access-class bar in
- /^ ipv6 traffic-filter / { addAclRef("access-list", $3) } # int foo ; ipv6 traffic-filter bar
- /^ *match access-group [0-9]/ { addAclRef("access-list", $3) } # class-map match-any NNN; match access-group NNN
- /^ *match access-group name / { addAclRef("access-list", $4) } # class-map match-any NNN; match access-group name XXX
- # drat: can be one or two leading spaces for match access-group
- /^ match address / { addAclRef("access-list", $3) } # crypto map ; match address NNN
- /^ *match ip address / { # route-map foo ; match ip address [prexix-list] NNN
- if ( $4 == "prefix-list" ) addAclRef("prefix-list", $5) # route-map foo ; match ip address prexix-list NNN
- else addAclRef("access-list", $4) # route-map foo ; match ip address NNN
- }
- /^ip http access-class / { addAclRef("access-list", $4) } # ip http access-class NNN
- /^ip pim rp-address / {
- if ( $5 == "group-list" ) { # ip pim rp-address 148.129.1.3 group-list 224.0.0.0/4
- #
- } else if ( NF > 4 ) { # ip pim rp-address a.d.d.r NNN
- # ip pim rp-address a.d.d.r NNN override
- # ip pim rp-address a.d.d.r override
- if ( $5 != "override" ) {
- addAclRef("access-list", $5)
- }
- }
- }
- /^ip wccp [0-9]+ redirect-list / { addAclRef("access-list", $5) } # ip wccp NN redirect-list NNN accelerated
- /^ip wccp web-cache redirect-list / { addAclRef("access-list", $5) } # ip wccp web-cache redirect-list NNN
- /^ipv6 wccp [^ ]+ redirect-list / { addAclRef("access-list", $5) } # ipv6 wccp 80 redirect-list wccp-ipv6-in
- /^snmp-server community / {
- if ( ( $4 ~ /^R(O|W)/ && NF > 4 ) ||
- ( $4 == "view" && NF > 6 ) ) {
- # snmp-server community foo RO NNN
- # snmp-server community foo view bar RO NNN
- addAclRef("access-list", $(NF))
- }
- else if ( $4 == "group" ) {
- # snmp-server community foo group network-operator
- }
- else if ( $4 == "use-acl" ) {
- # snmp-server community foo use-acl 20
- addAclRef("access-list", $5)
- }
- else warnMsg(" WTF ?? " $0)
- }
- /^snmp-server tftp-server-list / { addAclRef("access-list", $3) }
- ## class-map
- /^ *class / { if ( $2 != "class-default" ) addAclRef("class-map", $2) } # policy-map foo; class bar; police ...
- # drat: can be one or two leading spaces
- ## policy-map
- /^ *service-policy / {
- # system qos; service-policy type queuing output default-out-policy
- # int foo; service-policy (input|output) bar
- # policy-map foo; service-policy bar
- if ( $2 == "type" ) { }
- else if ( $2 == "input" || $2 == "output" ) addAclRef("policy-map", $3)
- else addAclRef("policy-map", $2)
- }
- ## prefix-list
- /^ *match ipv6 address prefix-list / { addAclRef("prefix-list", $5); next } # route-map foo ; match ipv6 address prefix-list XXX
- /^ *neighbor [^ ]+ prefix-list / { addAclRef("prefix-list", $4) } # router bgp ; neighbor XXX prefix-list NNN in|out
- # router bgp NNN
- # neighbor XXX
- # address-family ipv(4|6) unicast
- # prefix-list XXX (in|out)
- /^ *prefix-list / { addAclRef("prefix-list", $2); next }
- ## route-map
- /^ ip policy route-map / { addAclRef("route-map", $4); next } # int foo ; ip policy route-map NNN
- /^ *neighbor [0-9A-F.:]+ route-map / { addAclRef("route-map", $4); next } # router bgp ; neighbor XXX route-map NNN in|out
- ### could be 1 or 2 leading spaces ++ and account for ipv6 neighbor address
- /^ *redistribute static route-map / { addAclRef("route-map", $4); next } # router eigrp ; redist static route-map NNN
- /^ *redistribute .* route-map / {
- # router eigrp N
- # redistribute static route-map NNN
- # redistribute bgp ASN route-map NNN
- addAclRef("route-map", $(NF))
- next
- }
- # router bgp NNN
- # neighbor XXX
- # address-family ipv4 unicast
- # route-map XXX (in|out)
- /^ *route-map / { addAclRef("route-map", $2); next }
- ## transform-set
- /^ set transform-set / { addAclRef("transform-set", $3) } # crypto-map foo; set transform-set bar
- #######################
- ###### ACLs configured:
- ######
- /^access-list / { addAclDef("access-list", $2); next }
- /^ip access-list extended / { addAclDef("access-list", $4); next }
- /^ip access-list standard / { addAclDef("access-list", $4); next }
- /^ip access-list / { addAclDef("access-list", $3); next }
- /^ipv6 access-list / { addAclDef("access-list", $3); next }
- /^class-map match-/ { addAclDef("class-map", $3) } # class-map match-(any|all) NNN
- /^ip prefix-list / { addAclDef("prefix-list", $3) }
- /^ipv6 prefix-list / { addAclDef("prefix-list", $3) }
- /^policy-map type control-plane / { addAclDef("policy-map", $4); next } # policy-map type control-plane copp-system-policy
- /^policy-map / { addAclDef("policy-map", $2) } # policy-map foo
- /^route-map / { addAclDef("route-map", $2) } # route-map foo
- /^crypto ipsec transform-set / { addAclDef("transform-set", $4) }
- ##
- ## end getting ACLs configured/referenced
- function addAclRef(type, aclName) {
- ## add ACL name to list of referenced access lists
- ##
- aclRef[type " " aclName] = 1
- if ( debug > 4 ) printf("+add aclRef[\"%s %s\"] = 1\n", type, aclName )
- } # end func addAclRef
- function addAclDef(type, aclName) {
- ### add access list to list of configured ACLs
- ###
- aclDef[type " " aclName] = 1
- if ( debug > 4 ) printf("+add aclDef[\"%s %s\"] = 1\n", type, aclName )
- } # end func addAclDef
- function printHeader( ) {
- hdr = 1
- printf("%s missing commands:\n",filename)
- } # end func printHeader
- function warnMsg(s) {
- if ( ! hdr ) printHeader()
- printf("%s\n", s)
- } # end func warnMsg
- END {
- for ( i in aclRef ) if ( aclDef[i] != 1 ) {
- ### FIXME: WTF?
- if ( i ~ /access-list copp-system-acl-/ ) continue
- if ( i ~ /class-map copp-system-class-/ ) continue
- if ( i ~ /policy-map copp-system-policy/ ) continue
- ###
- warnMsg( " *** Warning: " i " referenced but not configured!" )
- }
- for ( i in aclDef ) if ( aclRef[i] != 1 ) {
- #
- # no warnings for "standard" acls, policies, etc. not referenced
- if ( i == "access-list 113" ) continue
- if ( i == "policy-map vtc" ) continue
- if ( i == "policy-map IP-PHONES" ) continue
- if ( ! ( i in ciscoDefaultCoppUnreferenced ) )
- warnMsg( " *** Warning: " i " configured but not referenced!" )
- }
- if ( hdr ) printf("\n\n")
- } # end of End section
- ' $FILE
- done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement