Change ACL on Cisco IOS devices

Welcome to Netcordia Connection Sign in | Join | Help

Home

Blogs

Support Forums

Gallery

Downloads

Netcordia Connection » Policy Management » Command Scripts » Change ACL on Cisco IOS devices

Last post 09-22-2008 1:45 PM by ccowden@express-scripts.com. 2 replies.

Page 1 of 1 (3 items)
	Sort Posts: Previous Next

05-14-2008 4:58 PM

pvogelsang
Joined on 07-31-2007
Annapolis

Change ACL on Cisco IOS devices

Reply Contact

This script looks for a specific ACL and makes updates to it. It can delete a single line or add multiple lines. If more than one line needs to be deleted it can delete the entire ACL and add it back with the changes. The default will remove the ACL and add it back. By selecting $deleteacl it will check to be sure the ACL is not in use before deleting it from the device. This script relies on a set of user input for the operations to perform, the ACL string to update, and whether debug mode is enabled or not. It runs in debug mode by default. You must check the "turnoffdebug" checkbox in the user input form to have it execute the commands.

########################################################################
Script:
    Change ACL

Script-Description:
    This script looks for a specific ACL and makes updates to it.
    It can delete a single line or add multiple lines. If more than
    one line needs to be deleted it can delete the entire ACL and
    add it back with the changes. The default will remove the ACL
    and add it back. By selecting $deleteacl it will check to be
    sure the ACL is not in use before deleting it from the device.
    This script relies on a set of user input for the operations
    to perform, the ACL string to update, and whether debug mode is
    enabled or not. It runs in debug mode by default. You must
    check the "turnoffdebug" checkbox in the user input form to
    have it execute the commands.

Script-Filter:
    $Vendor eq "Cisco"
    and memberOf ["All IOS Devices"]

Script-Variables:
    $deleteline boolean

    $addline boolean

    $deleteacl boolean

    $aclname string "Replace this text with the access-list name/number"

    $update text "Paste update here. Do not include ACL name/number"

    $turnoffdebug boolean

########################################################################
Action:
    Show Run

Action-Description:
    This action executes the "show run" command to look for the
    ACL on the router.

Action-Commands:
    show run

Output-Triggers:
    Update Numbered
    Update Named

########################################################################
Trigger:
    Update Numbered

Trigger-Description:
    Update numbered access lists. This will delete the old ACL and
    add the new, complete ACL.

Trigger-Template:
    access-list $aclname .*
    ...
    end

###THIS WILL DELETE THE OLD ACL AND ADD THE NEW ONE###

Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="off" && $deleteacl=="off"}
    config terminal
    no access-list $aclname
    $update
    end
    write memory

Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="off" && $deleteacl=="off"}
    DEBUG:config terminal
    DEBUG:no access-list $aclname
    DEBUG:$update
    DEBUG:end
    DEBUG:write memory

#########################################################################
Trigger:
    Update Named

Trigger-Description:
    Update named access lists.

Trigger-Variables:
    $type word

Trigger-Template:
    ip access-list [[$type]] $aclname

###THIS WILL DELETE THE OLD ACL AND ADD THE NEW ONE###

Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="off" && $deleteacl=="off"}
    config terminal
    no ip access-list $type $aclname
    ip access-list $type $aclname
    $update
    end
    write memory

Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="off" && $deleteacl=="off"}
    DEBUG:config terminal
    DEBUG:no ip access-list $type $aclname
    DEBUG:ip access-list $type $aclname
    DEBUG:$update
    DEBUG:end
    DEBUG:write memory

###THIS WILL DELETE A SINGLE LINE FROM AN ACL AND RESEQUENCE THE ACL###

Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="on" && $addline=="off" && $deleteacl=="off"}
    config terminal
    ip access-list $type $aclname
    no $update
    ip access-list resequence $aclname 10 10
    end
    write memory

Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="on" && $addline=="off" && $deleteacl=="off"}
    DEBUG:config terminal
    DEBUG:ip access-list $type $aclname
    DEBUG:no $update
    DEBUG:ip access-list resequence $aclname 10 10
    DEBUG:end
    DEBUG:write memory

###THIS WILL ADD LINES TO AN ACL AND RESEQUENCE THE ACL###

Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="on" && $deleteacl=="off"}
    config terminal
    ip access-list $type $aclname
    $update
    ip access-list resequence $aclname 10 10
    end
    write memory

Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="on" && $deleteacl=="off"}
    DEBUG:config terminal
    DEBUG:ip access-list $type $aclname
    DEBUG:$update
    DEBUG:ip access-list resequence $aclname 10 10
    DEBUG:end
    DEBUG:write memory

#########################################################################
Action:
    Show ACL

Action-Description:
    This action executes the "show access-list" command to
    look for the ACL's on the router.

Action-Commands:
    show access-list $aclname

Output-Triggers:
    Find

########################################################################

Trigger:
    Find

Trigger-Description:
    Find access list.

Trigger-Template:
    IP access list $aclname

Trigger-Commands:
    SET: $update = "yes"
    show run | include access-group $aclname
    show run | include access-group name $aclname
    show run | include match ip address $aclname

Output-Triggers:
    Verify1
    Verify2
    Delete

#########################################################################
Trigger:
    Verify1

Trigger-Description:
    Verify ACL is not applied to an interface.

Trigger-Template:
    access-group

Trigger-Commands:
    SET: $update = "no"

#########################################################################
Trigger:
    Verify2

Trigger-Description:
    Verify ACL is not applied to an interface.

Trigger-Template:
    match ip address

Trigger-Commands:
    SET: $update = "no"

#########################################################################
Trigger:
    Delete

Trigger-Description:
    Delete numbered access lists.

Trigger-Filter:
    $update eq "yes"

Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="off" && $deleteacl=="on"}
    config terminal
    no access-list $aclname
    end
    write memory

Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="off" && $deleteacl=="on"}
    DEBUG:config terminal
    DEBUG:no access-list $aclname
    DEBUG:end
    DEBUG:write memory

#########################################################################

Patrick Voglesang
VP Operations, Netcordia, Inc.
(T) +1 410 266 6161 x309 (M) +1 724 272 1042 (F) +1 410 573 9779
(E) pvogelsang@netcordia.com www.netcordia.com

Filed under: CCS Script, Cisco, ACL

06-24-2008 1:38 PM In reply to

njsanders1
Joined on 04-17-2008

Re: Change ACL on Cisco IOS devices

Reply Contact

Here's an updated version that addresses a couple of issues with the previously submitted script:

########################################################################
Script:
        Change ACL
Script-Description:
        This script looks for a specific ACL and makes updates to it.
        It can delete a single line or add multiple lines. If more than
        one line needs to be deleted it can delete the entire ACL and
        add it back with the changes. The default will remove the ACL
        and add it back -- to use this option do NOT mark ANY boxes.
        By selecting $deleteacl it will check to be
        sure the ACL is not in use before deleting it from the device.
        This script relies on a set of user input for the operations
        to perform, the ACL string to update, and whether debug mode is
        enabled or not. It runs in debug mode by default. You must
        check the "turnoffdebug" checkbox in the user input form to
        have it execute the commands.
Script-Filter:
        $Vendor eq "Cisco"
        and $sysDescr like /IOS/
Script-Variables:
        $deleteline boolean
        $addline boolean
        $deleteacl boolean
        $aclname string "Replace this text with the access-list name/number"
        $acltype string "For numbered ACLs, replace this text with standard or extended"
        $update text "Paste update here. Do not include ACL name/number"
        $turnoffdebug boolean
########################################################################
Action:
        Show Run
Action-Description:
        This action executes the "show run" command to look for the
        ACL on the router.
Action-Commands:
        show run
Output-Triggers:
        Update Numbered
        Update Named
########################################################################
Trigger:
        Update Numbered
Trigger-Description:
        Update numbered access lists. This will delete the old ACL and
        add the new, complete ACL.
Trigger-Template:
        access-list $aclname .*
        ...
        end
###THIS WILL DELETE THE OLD ACL AND ADD THE NEW ONE - MARK **NO** BOXES###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="off" && $deleteacl=="off"}
        show access-list $aclname
        config terminal
        no access-list $aclname
        $update
        end
        write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="off" && $deleteacl=="off"}
        DEBUG:show access-list $aclname
        DEBUG:config terminal
        DEBUG:no access-list $aclname
        DEBUG:$update
        DEBUG:end
        DEBUG:write memory
###THIS WILL DELETE A SINGLE LINE FROM AN ACL AND RESEQUENCE THE ACL###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="on" && $addline=="off" && $deleteacl=="off"}
        show access-list $aclname
        config terminal
        ip access-list $acltype $aclname
        no $update
        ip access-list resequence $aclname 10 10
        end
        write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="on" && $addline=="off" && $deleteacl=="off"}
        DEBUG:show access-list $aclname
        DEBUG:config terminal
        DEBUG:ip access-list $acltype $aclname
        DEBUG:no $update
        DEBUG:ip access-list resequence $aclname 10 10
        DEBUG:end
        DEBUG:write memory
###THIS WILL ADD LINES TO AN ACL AND RESEQUENCE THE ACL###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="on" && $deleteacl=="off"}
        show access-list $aclname
        config terminal
        ip access-list $acltype $aclname
        no deny any
        $update
        deny any
        ip access-list resequence $aclname 10 10
        end
        write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="on" && $deleteacl=="off"}
        DEBUG:show access-list $aclname
        DEBUG:config terminal
        DEBUG:ip access-list $acltype $aclname
        DEBUG:no deny any
        DEBUG:$update
        DEBUG:deny any
        DEBUG:ip access-list resequence $aclname 10 10
        DEBUG:end
        DEBUG:write memory
#########################################################################
Trigger:
        Update Named
Trigger-Description:
        Update named access lists.
Trigger-Variables:
        $type word
Trigger-Template:
        ip access-list [[$type]] $aclname
###THIS WILL DELETE THE OLD ACL AND ADD THE NEW ONE###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="off" && $deleteacl=="off"}
        show access-list $aclname
        config terminal
        no ip access-list $type $aclname
        ip access-list $type $aclname
        $update
        end
        write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="off" && $deleteacl=="off"}
        DEBUG:show access-list $aclname
        DEBUG:config terminal
        DEBUG:no ip access-list $type $aclname
        DEBUG:ip access-list $type $aclname
        DEBUG:$update
        DEBUG:end
        DEBUG:write memory
###THIS WILL DELETE A SINGLE LINE FROM AN ACL AND RESEQUENCE THE ACL###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="on" && $addline=="off" && $deleteacl=="off"}
        show access-list $aclname
        config terminal
        ip access-list $type $aclname
        no $update
        ip access-list resequence $aclname 10 10
        end
        write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="on" && $addline=="off" && $deleteacl=="off"}
        DEBUG:show access-list $aclname
        DEBUG:config terminal
        DEBUG:ip access-list $type $aclname
        DEBUG:no $update
        DEBUG:ip access-list resequence $aclname 10 10
        DEBUG:end
        DEBUG:write memory
###THIS WILL ADD LINES TO AN ACL AND RESEQUENCE THE ACL###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="on" && $deleteacl=="off"}
        show access-list $aclname
        config terminal
        ip access-list $type $aclname
        no deny any
        $update
        deny any
        ip access-list resequence $aclname 10 10
        end
        write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="on" && $deleteacl=="off"}
        DEBUG:show access-list $aclname
        DEBUG:config terminal
        DEBUG:ip access-list $type $aclname
        DEBUG:no deny any
        DEBUG:$update
        DEBUG:deny any
        DEBUG:ip access-list resequence $aclname 10 10
        DEBUG:end
        DEBUG:write memory
#########################################################################
Action:
        Show ACL
Action-Description:
        This action executes the "show access-list" command to
        look for the ACL's on the router.
Action-Commands:
        show access-list $aclname
Output-Triggers:
        Find
########################################################################
Trigger:
        Find
Trigger-Description:
        Find access list.
Trigger-Template:
        IP access list $aclname
Trigger-Commands:
        SET: $update = "yes"
        show run | include access-group $aclname
        show run | include access-group name $aclname
        show run | include match ip address $aclname
Output-Triggers:
        Verify1
        Verify2
        Delete
#########################################################################
Trigger:
        Verify1
Trigger-Description:
        Verify ACL is not applied to an interface.
Trigger-Template:
        access-group
Trigger-Commands:
        SET: $update = "no"
#########################################################################
Trigger:
        Verify2
Trigger-Description:
        Verify ACL is not applied to an interface.
Trigger-Template:
        match ip address
Trigger-Commands:
        SET: $update = "no"
#########################################################################
Trigger:
        Delete
Trigger-Description:
        Delete numbered access lists.
Trigger-Filter:
        $update eq "yes"
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="off" && $deleteacl=="on"}
        show access-list $aclname
        config terminal
        no access-list $aclname
        end
        write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="off" && $deleteacl=="on"}
        DEBUG:show access-list $aclname
        DEBUG:config terminal
        DEBUG:no access-list $aclname
        DEBUG:end
        DEBUG:write memory
#########################################################################

Nick Sanders
Sr. Systems Engineer
Netcordia, Inc.
--------------------------------
No trees were harmed in the transmission of this message; however, a tremendous number of electrons were extremely inconvenienced.

Filed under: CCS Script, Cisco, ACL, CCS

09-22-2008 1:45 PM In reply to

ccowden@express-scripts.com
Joined on 02-28-2008

Re: Change ACL on Cisco IOS devices

Reply Contact

Page 1 of 1 (3 items)