cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
83
Views
0
Helpful
0
Replies
ian.scheidler1
Enthusiast

Design of ACL service

Hi everyone,

I have a few questions regarding the design of a service for creating/manipulating/applying ACL's:

The requirement is to be able to enter:

  • source IP/network
  • source netmask
  • destination IP/network
  • destination netmask
  • protocol (e.g. TCP)
  • port

From this information the service should either manipulate or create an ACL on the affected routers.

1. Would it make sense to have a seperate Service for creation of ACL's (with appropriate input fields like e.g. Standard/Extended, rule, interface to apply ACL to, IN/OUT etc.) and another for making the appropriate ACE's (according to input as above)? My idea is that more modular services will be more easily reusable and also be less "bloated" (hence easier to  implement).

2. How can I get NSO/NCS to identify all the Routers/devices whose ACL's need modified? Or will this have to happen manually?

3. Will I need a template-based AND Java capable service (e.g. "ncs-make-package --service-skeleton java-and-template editACL")? How else would I be able to retrieve the current ACL on a device and make insertions to/edit the ACL, if not by using a programming language? I believe this is not possible with mere templating, correct? Could I also use Python for this?

4. The service should also work for JunOS devices (filter lists)...although this is a more advanced and currently not a pressing issue/requirement any remarks on specifics/experiences for this requirement are very welcome.

All help is greatly appreciated. Thank you.

0 REPLIES 0
Create
Recognize Your Peers
Content for Community-Ad