Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1755
Views
20
Helpful
8
Replies

ACL not using assigned sequence numbers

Go to solution
eric13
Level 1
Level 1

‎02-20-2021 02:42 PM

Wrote a Python script to automate updating a switches and routers in our environment. The script works great and I have used it to push out many updates.  I used it to push out an extended named ACL to about 40 Cisco 891 and 892 model routers.  The ACL has several lines of permit statements  and then 20 lines at the bottom that we always want to be at the end.  As months have gone by some routers have had lines added that others routes didn't need.  So over time the ACLs are now individually unique.  It was a pain to constantly have to delete the last 20 lines and add new lines when the occasion arises to push out a new line.  I decided to make the last 20 lines start at an insane high number 20000 so they would always be the same on all routers.  When running the script now I delete the last 20 lines with the command " no 20000 rule statement" ect...add the new lines I want so they are at the bottom of the ACL then add the 20 lines back starting at sequence number 20000 again.  However, I have found that randomly even though the script enters in the 20000 sequence number the rule goes in using the next sequence number at the end of the script.  So instead of 20000 it shows as 350, 360, 370...ect for example.   It doesn't happen on all the router and I haven't been able to tie it down to a specific model or code version, but it does happen on the same routers over and over when I try to rerun the script.  Can anyone explain this behavior? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to eric13

‎02-22-2021 04:56 AM - edited ‎02-22-2021 05:44 AM

 

I don't have those versions to test with so there may be a solution from someone else but the beauty of scripts is you can add code to account for these sort of variations. 

 

So as a high level example - 

 

1) connect to the router and save the access list into a python list 

2) you can then select the last 20 lines of the list and do a "no <line>" for each of the acl lines.

3) add your new line(s)

4) using the same list as 2) add those lines back in 

 

the advantage of the above is you don't care what numbers are used, you always get the last 20 lines. 

 

Jon

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
julian.bendix
Level 3
Level 3

‎02-20-2021 02:53 PM

Hey,

can you share the Model and Software Version of one of the routers it is happening on?

And also, there are some Routers of the very same model and running same software where it is working, right?

 

0 Helpful

Go to solution
eric13
Level 1
Level 1
In response to julian.bendix

‎02-20-2021 03:52 PM

All three code version are found on routers where it does and doesn't work right. Which is why I was unable to tie it down to a code version.
CISCO891-K9
Version 15.2(4)M4
Version 15.0(1)M7
Version 15.1(4)M4

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to eric13

‎02-21-2021 10:40 AM

Could you provide an example of an update that did work and an example of an update that did not work? I am wondering if perhaps some treat the update as modifying a named extended access list (ip access-list extended 101 / 62 permit 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255) while other treat it as updates to a regular extended access list (access-list 101 62 permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255)

HTH

Rick

Go to solution
eric13
Level 1
Level 1
In response to Richard Burts

‎02-21-2021 04:27 PM

A typical script I push out looks like this :

ip access-list extended ACL_NAME

no 20000 deny ip host 10.1.1.1 any

no 20001 deny ip any host 10.1.1.1

!

permit ip host 10.1.1.1 host 10.2.1.1

!

20000 deny ip host 10.1.1.1 any

20001 deny ip any host 10.1.1.1

 

before I push it out I made sure all routers had the 20000 numbers or else the new permit statement will go after the deny statements.   After running the script from Python on some routers it looks like this:

 

380 permit ip host 10.1.1.1 host 10.2.1.1

20000 deny ip host 10.1.1.1 any

20001 deny ip any host 10.1.1.1

 

and on others like this:

 

380 permit ip host 10.1.1.1 host 10.2.1.1

390 deny ip host 10.1.1.1 any

400 deny ip any host 10.1.1.1

 

I would then have to go back and manually remove the 390 and 400 lines.  I can then copy and paste the lines from the script and it takes with the 20000 numbers. 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎02-21-2021 03:28 PM

Hello,

 

can you post the Python script ?

Go to solution
eric13
Level 1
Level 1
In response to Georg Pauwen

‎02-21-2021 04:38 PM

 It's not the python script that's the issue as it is applying all the lines from the notepad text file.  This function of the Python script just reads the lines from a notepad file and applies it to each router in the list I give it. The script works fine and I have used many many times without issue for adding ACLs to different model routers. It's Just on this particular model router that I've noticed the ACL numbers being off.

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to eric13

‎02-22-2021 04:56 AM - edited ‎02-22-2021 05:44 AM

 

I don't have those versions to test with so there may be a solution from someone else but the beauty of scripts is you can add code to account for these sort of variations. 

 

So as a high level example - 

 

1) connect to the router and save the access list into a python list 

2) you can then select the last 20 lines of the list and do a "no <line>" for each of the acl lines.

3) add your new line(s)

4) using the same list as 2) add those lines back in 

 

the advantage of the above is you don't care what numbers are used, you always get the last 20 lines. 

 

Jon

 

0 Helpful

Go to solution
eric13
Level 1
Level 1
In response to Jon Marshall

‎02-22-2021 06:30 AM

Great idea, I hadn't thought about writing another function inside the python program for this particular case. That's a better coding technique too that keeps me from having to put in 20 lines to remove and 20 lines to replace in every notepad script. Should be easy enough to do. I'm still curious to know why same model with same version of code behave differently when the same script is applied but your idea will definitely work. Thanks
0 Helpful
Customers Also Viewed These Support Documents