I have a few questions regarding the design of a service for creating/manipulating/applying ACL's:
The requirement is to be able to enter:
protocol (e.g. TCP)
From this information the service should either manipulate or create an ACL on the affected routers.
1. Would it make sense to have a seperate Service for creation of ACL's (with appropriate input fields like e.g. Standard/Extended, rule, interface to apply ACL to, IN/OUT etc.) and another for making the appropriate ACE's (according to input as above)? My idea is that more modular services will be more easily reusable and also be less "bloated" (hence easier to implement).
2. How can I get NSO/NCS to identify all the Routers/devices whose ACL's need modified? Or will this have to happen manually?
3. Will I need a template-based AND Java capable service (e.g. "ncs-make-package --service-skeleton java-and-template editACL")? How else would I be able to retrieve the current ACL on a device and make insertions to/edit the ACL, if not by using a programming language? I believe this is not possible with mere templating, correct? Could I also use Python for this?
4. The service should also work for JunOS devices (filter lists)...although this is a more advanced and currently not a pressing issue/requirement any remarks on specifics/experiences for this requirement are very welcome.