cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1373
Views
0
Helpful
4
Replies

TCL scripting to locate the log keyword on named ACL entries and remove the line

juan-ruiz
Level 1
Level 1

I’m trying to figure out what is the best way to search named acls for the keyword log at the end and remove it by removing that entry and adding it again in the same position.  
 
Can someone please assist and share any documentation so I can build upon?
 

Thanks,
Juan

 

1 Accepted Solution

Accepted Solutions

You can do that, yes.  However, the time it takes to re-enter the ACL in its entirety would mean a window where it isn't complete and could open you up to an attack or a DoS to your users (depending on the rules).  This is why the temp ACL helps as it reduces that window.

 

But Tcl is a programming language, and you can certainly do exactly the same thing you can do in bash in terms of in-memory variable storage.

View solution in original post

4 Replies 4

Joe Clarke
Cisco Employee
Cisco Employee

That is tricky.  Do your ACLs have sequence numbers?  If not, what would be best is to create a new ACL with a temp name (e.g., let's say your ACL is called EXTERNAL; then create an EXTERNAL-TEMP).  In that new ACL, copy the contents of the existing ACL unmodified.  Then, apply the new ACL where the old one was applied.  Then, destroy the old one and iterate through the ACEs of the new one to do what you need.  Recreate the original named ACL with the correct lines.  Finally, re-apply the modified ACL with the original name and destroy the temporary ACL.

 

I don't know of any existing Tcl scripts to do this, but it should be fairly straightforward.  It's even easier if you use sequence numbers, since you can just replace in line.

What if we we called each named ACL show ip access-list acl1 | include log and captured the stdout in a variable then entered a function to enter acl1, remove the entires from the acl, called another function to clean the end of the acl string and strip out the word log and add the entries again to the acl1?

 

Is this something the Cisco TCL can perform?

I know I can put something on a Linux BASH to do this but not 100% sure if the TCL environment can perform this.

Thanks for the reply.

You can do that, yes.  However, the time it takes to re-enter the ACL in its entirety would mean a window where it isn't complete and could open you up to an attack or a DoS to your users (depending on the rules).  This is why the temp ACL helps as it reduces that window.

 

But Tcl is a programming language, and you can certainly do exactly the same thing you can do in bash in terms of in-memory variable storage.

thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: