How to remove bulk lines from Cisco devices?

[Cooky]

We're trying to remove all the ACL's that have hitcnt=0.
There are hundreds of lines and it's a waste of time to go through each one of them.

If I weren't so rusty at programming, I could've written a program to do this but it's been many years since the last time I compiled any code in any language...

Does anyone know of a good & efficient way of doing this??

 

[spidey07]

notepad, copy/paste or find/replace

doesn't take long

 

[Cooky]

Seriously, I spent pretty much all day yesterday just to replace multiple entries w/ object-groups. This was for only 1 Pix; imagine how long it'll take if I have to do it for all 3 of them.

How do I use find/replace in my case??
The search phrase is obviously (hitcnt=0), but how do I make it remove the whole line, or put a "no" in the front??

Edit:
Actually, when you do "show access-list", it expends all the object-groups into individual lines. So if I edit directly on the output of "show access-list", I think it's gonna mess up the groups.
If I don't, I'll have to go back and forth between "show run" and "show access-list", which wil take even longer.

Any suggestions?

 

[spidey07]

sorry, not much help then.

working with large rule bases on a pix is like going to the dentist, getting sent to FPMITA prison, going through a divorce and getting hit by a car...all at the same time.

 

[Cooky]

I was able to use UltraEdit to make the job a little easier.

Now my question is, if I remove the ACLs from "show access-list" output, will it screw up anything if those ACLs are part of object-groups?

For example, if I do:
no access-list in-from-outside permit tcp any host 192.168.1.2 eq www, while the host is part of a network object-group, will that host simply be removed from the group?

 

[Ctrackstar126]

Originally posted by: spidey07
sorry, not much help then.

working with large rule bases on a pix is like going to the dentist, getting sent to FPMITA prison, going through a divorce and getting hit by a car...all at the same time.

Man o Man

 

[bruceb]

You can't just remove them from the Show Access List command .. all that does is display what is there
You must be in Privleged Exec Mode (enable) and then in Config-Interface for whatever interface or port
the access lists are on .. you can then delete them from there ... you will need to manually shut down
the interfaces before you can modify them

 

[Cooky]

bruceb:
I was aware that the "show" command only displays a list of the ACLs (hence the name "show").

I believe you'd remove the ACLs in the global config mode instead of the interface mode.
Thanks for the reply anyway.

 

[bruceb]

Access lists are set on each interface aren't they ? ?
I think you would need to remove them from the interface
first, before you can delete them

 

[Cooky]

Now I see what you were saying...sorry for the misunderstanding.

I'm not removing the entire ACL, but rather just some entries within one.
We've got about 900 lines within access-list in-from-outside. I'm removing some lines off it instead of deleting the entire in-from-outside ACL.

Like I said earlier, UltraEdit has pretty cool regular expression functionality that allows me to do what I want easily so I'm all set.
Thanks for everyone's feedback!

 

[spidey07]

as an aside, when you're changing access lists it is always, always, always good practice to take it off an interface, change it and then reapply the ACL once it's modified.

It's real easy to lock your self out of a device because of the way the top down processing occurs with ACLs. For example changing an ACL that is already in place on an interface.