View on
James FitzGibbon > Cisco-ACL > Cisco::ACL



Annotate this POD


New  1
Open  0
View/Report Bugs
Module Version: 0.12   Source  


Cisco::ACL - generate access control lists for Cisco IOS


  use Cisco::ACL;
  my $acl = Cisco::ACL->new(
    permit   => 1,
    src_addr => '',
    dst_addr => '',
  print "$_\n" for( $acl->acls );


Cisco::ACL is a module to create cisco-style access lists. IOS uses a wildcard syntax that is almost but not entirely unlike netmasks, but backwards (at least that's how it has always seemed to me).

This module makes it easy to think in CIDR but emit IOS-compatible access lists.


To construct a Cisco::ACL object, call the new method. The following optional arguments can be passed as a hash of key/val pairs:


A Cisco::ACL object has several accessor methods which may be used to get or set the properties of the object. These accessors are generated by Class::MethodMaker - for more information see Class::MethodMaker. The C::MM type of accessor is in brackets following the accessor name.

permit() [boolean]

A boolean accessor, it returns 1 or 0 depending on whether the object represents a 'permit' rule or a 'deny' rule. Passing a true value to the accessor sets it to 1.

There are also clear_permit() and set_permit() methods which set the property without requiring an explicit argument.

established() [boolean]

A boolean accessor, it returns 1 or 0 depending on whether the object represents a rule which should only allow established sessions or not. Passing a true value sets it to 1.

src_addr() [list]

A list of source addresses, returned as an arrayref in scalar context and an array in list context. Passing an argument replaces the entire content of the list. If you want to add an address to the list, use src_addr_push.

Source and destination addresses may be specified in any combination of three syntaxes: a single IP address, a range of addresses in the format a.a.a.a-b.b.b.b or a.a.a.a-b, or a CIDR block in the format x.x.x.x/nn. Use the word "any" to specify all addresses. For example, all of the following are legal: 

Multiple entries may be passed to the accessor functions.

There are also src_addr_pop(), src_addr_shift(), src_addr_unshift(), src_addr_unsplice(), src_addr_clear(), src_addr_count(), src_addr_index() and src_addr_set() methods which perform the familiar array operations on the list of addresses.

src_port() [list]

A list of source ports or source port ranges. A range of ports is denoted as two port numbers joined by a -. The same methods as src_addr() (renamed) are also available.

dst_addr() [list]

As with src_addr(), but for destination addresses.

dst_port() [list]

As with src_port(), but for destination ports.

protocol() [get_set]

If you have Class::MethodMaker v1.xx installed, the object will only have the accessor methods described above. If you have Class::MethodMaker v2.xx installed then there will be more accessor methods. Only the accessor methods documented here are officially supported and tested.



Generates the access lists and returns then as an array in list context or an arrayref in scalar context.


Resets all of the ACL values. Useful if you want to construct an object, generate an ACL and then re-use the same object for a completely different ACL rather than one which is incrementally different.

Resetting an ACL object:


To create an access list that allows traffic from with any source port to any host on the class B network with a destination port of 21937:

  my $acl = Cisco::ACL->new(
    src_addr => '',
    dst_addr => '',
    dst_port => 21937,
  print "$_\n" for( $acl->acls );

To create an access list that will deny all traffic (regardless of whether it is TCP or UDP) to or from

  my $acl = Cisco::ACL->new(
    src_addr => '',
    protocol => 'ip',
  print "$_\n" for( $acl->acls );
  $acl->dst_addr( '' );
  print "$_\n" for( $acl->acls );

Using multiple addresses and/or ports: permit SSH and SFTP traffic from and to anywhere.

  my $acl = Cisco::ACL->new(
    src_addr => [ '', '' ],
    dst_port => [ 22, 25 ],
  print "$_\n" for( $acl->acls );

Using the established parameter, permit any sessions which are already established.

  my $acl = Cisco::ACL->new( established => 1 );
  print "$_\n" for( $acl->acls );


These are the known limitations from the original I hope to address these in the near future.


The initial version of this module is pretty much an OO wrapper around Chris' original code. Future plans include (hopefully in order of implementation):


This distribution includes, a simple CGI frontend to Cisco::ACL.

If you need a more generic framework for ACLs, take a look at Net::ACL by Martin Lorensen.


James FitzGibbon, <>.


The code in this module started life as, a CGI script written by Chris De Young (chd AT chud DOT net). I was about to embark on writing a module to do this from scratch when I stumbed across his web version, which was procedural. He graciously accepted my offer to OOP-ize the code. Any mistakes in this module are probably mine.


Nicolas Georgel contribued changes to implement Cisco's port range syntax and to allow for port numbers to be specified in reverse order (highest first).


This module is free software. You may use and/or modify it under the same terms as perl itself.

syntax highlighting: