All scripts
fault
Expert
~4 min
ACL Shadow & Conflict Analyzer
Deep ACL analysis using interval tree data structures to find shadowed ACEs (rules that can never match), redundant entries, permit-before-deny violations, stale hit-count rules, and policy inconsistencies across devices.
cisco-ios
cisco-nxos
juniper
arista
You're viewing a preview
The full script, parameters, and execution console are available with a free account.
Already have access? Sign in โ
Capabilities
- ACL
- Security
- Interval tree
- Shadowed rules
- Policy
- Interval tree prefix check
Required inputs
Parameters the script accepts. Defaults shown; some are vendor- or context-gated.
| Parameter | Type | Default | Notes |
|---|---|---|---|
Min Hit Count min_hits | number | 0 | โ |
Check Shadowed ACEs check_shadowed | bool | true | โ |
Sample inventory schema
Authoritative shape of the device/policy data this script consumes.
No bundled inventory sample. The script accepts standard device lists (CSV/YAML) with hostname, mgmt IP, vendor, and credentials.
Expected output
Reference terminal output the script should produce โ used as a stylistic and structural target.
terminal
[INFO] Parsed 247 ACEs across 12 ACLs [CRIT] ACL INTERNET-IN line 40: shadowed by line 20 (0 hits in 30d) [WARN] ACL DMZ-OUT: 3 redundant deny rules [CRIT] ACL MGMT line 80: permit-after-deny anomaly [OK] Hit-count baseline saved โ /var/log/acl_baseline.json