Re: automation of ios ip access-list

houlee · ‎12-19-2019

Hi experts,

I have a question of adding/updating ip access-list on IOS XE 6.12.02.

When adding an entry into an ip access-list from NSO, such as

set devices device <ios_devices> config ios:ip access-list standard std-named-acl SSM_Range stad-access-list-rule permit 3.3.3.3

IOS adds a sequence number in front of the rule and the running config shows like this on the IOS side

ip access-list standard SSM_Range
  10 deny 232.255.255.0 0.0.0.255
  20 permit 232.0.0.0 0.255.255.255
  30 permit 3.3.3.3

This makes NSO complain about the '30 permit 3.3.3.3' line when doing compare-config since the sequence number, 30 is missing in the CDB.

My question is how to handle this kind of auto-generated sequence number from the automation perspective. One way is to hard-coded the sequence number in the templates of NSO but this is not flexible. The entries in the access-list might be added/deleted in the future and it's hard to maintain the state of the sequence number. If we leave the IOS to decide the sequence number, we will have the above compare-config discrepancy.

Is there any way or best practice that NSO or NED can handle this kind of dilemma?

Thanks.

vleijon · ‎12-19-2019

Using access lists without sequence numbers is apparently legacy behavior. I would recommend keeping track of the sequence number. There are some ned-setttings one is new-ip-access-list the other is access-list-resequence. I haven’t tried either but they might help you if you do not want to keep track of the sequence numbers.

ngrgur · ‎12-06-2021

Hello,

I know this is an old discussion, but can you share which path you took? I have run into same dillema.. This compare-config discrepancy aslo appears for the numbered ACLs on IOS.