Sunday, April 19, 2020

Replacing ACLs on IOS/IOS-XE with scripts

Hello

I am currently working on a script to replace ACLs on Cisco IOS/IOS-XE routers. Atomic config changes beyond a single line and netconf candidate configs are not a thing on the firmwares of many of the devices that I have to work with.

My assumptions are:

  • Someday someone, who doesn't know what the script does exactly, will try to do replace an ACL on all of our routers and the script should not fuck up everything unless the other assumptions are met.
  • The ACL that needs to be changed might be somewhere where it might influence my ability to log in. e.g. it is the ACL on the interface over which I am logging in or it might be the ACL used for the SSH access.
  • If the old ACL allows me to login in then the new one will also allow this.
  • Errors need to be recoverable, e.g. if I lose the connection for whatever reason I can run the script again and bring everything into the desired state.

Here are some Ideas that I had, which do not work:

  • resequence the old ACL so that there is enough "space" for the new one entries to be inserted before the old entries. Then delete the old entries. This does not work because you can not have the same entry multiple times in an ACL. Also the resequence is only available for legacy IP.

  • copy the ACL, change all sections in which that ACL is used to the copy, change the ACL in place, revert the changes to the config so that the new ACL is used. Delete the copy. This has several Problems:

    • How do you know where the ACL is used? There are many more things than interfaces and vtys.
    • Error recovery is a pain in the butt because you have to check if a copy exists, then you have 2 ACLs on the device, one of which might not be complete but you dont know which one that is. Also you might have a config that references both sections. You might be able to resolve some of that, but it will be painfull.

Something else I thought about was adding the IP from which I am logging in as the first entry to the ACL so that I can not lock me out. But I have to take a deeper look at some of the usecases of ACLs because if an ACL is used in some kind of inverted fashion that might also lock me out.

Does anyone else have an idea?



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)