Re: ACL management automation

shubhjassim · ‎12-31-2023

Good afternoon all.

I have about 50 sites, all of them have extended ACLs, with the networks source IP (different at each site) and some destination hosts( that are the same at each site) , that can change every few years as we upgrade our systems.

The old, manual way us going through each ACL and modifying them manually. This is pretty tedious and error prone.

I have, just recently migrated some ACLs to using object groups, which will help since I can just modify the destination hosts in the object group instead of the entire ACL.

Am I missing something obvious to help automate this? I know there's stuff like ansible but i don't want to spend the time to learn if this is not something that I can accomplish with it.

omegle xender

MHM Cisco World · ‎12-31-2023

If these router accept objects-group network

Then why not you can use it

MHM

balaji.bandi · ‎12-31-2023

What device models these ? what IOS code running ?

Can you post the ACL one of them and tell us what you are changing ?

Manually editing all 50 sites some time bit painfully, if we don't have any automation tools in place.

There are many ways to do this - i prefer below methods :

1. you can use TFTP make changes on remote TFTP Server and copy from tftp to run should work.

2. I use Python for scripting automation (there are many scripts available internet - you do not need to learn anything, just understand how they work, and make changes according to your environment and test on the lab and deploy on environment and test it)

3. Cisco Prime does for you (if you Prime Infra in place)

4. you can also use netbox - https://github.com/ryanmerolle/netbox-acls

5.https://github.com/batfish/batfish

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help