This script looks for a specific ACL and makes updates to it. It can
delete a single line or add multiple lines. If more than one line
needs to be deleted it can delete the entire ACL and add it back with
the changes. The default will remove the ACL and add it back. By
selecting $deleteacl it will check to be sure the ACL is not in use
before deleting it from the device. This script relies on a set of user
input for the operations to perform, the ACL string to update, and
whether debug mode is enabled or not. It runs in debug mode by
default. You must check the "turnoffdebug" checkbox in the user input
form to have it execute the commands.
########################################################################
Script:
Change ACL
Script-Description:
This script looks for a specific ACL and makes updates to it.
It can delete a single line or add multiple lines. If more than
one line needs to be deleted it can delete the entire ACL and
add it back with the changes. The default will remove the ACL
and add it back. By selecting $deleteacl it will check to be
sure the ACL is not in use before deleting it from the device.
This script relies on a set of user input for the operations
to perform, the ACL string to update, and whether debug mode is
enabled or not. It runs in debug mode by default. You must
check the "turnoffdebug" checkbox in the user input form to
have it execute the commands.
Script-Filter:
$Vendor eq "Cisco"
and memberOf ["All IOS Devices"]
Script-Variables:
$deleteline boolean
$addline boolean
$deleteacl boolean
$aclname string "Replace this text with the access-list name/number"
$update text "Paste update here. Do not include ACL name/number"
$turnoffdebug boolean
########################################################################
Action:
Show Run
Action-Description:
This action executes the "show run" command to look for the
ACL on the router.
Action-Commands:
show run
Output-Triggers:
Update Numbered
Update Named
########################################################################
Trigger:
Update Numbered
Trigger-Description:
Update numbered access lists. This will delete the old ACL and
add the new, complete ACL.
Trigger-Template:
access-list $aclname .*
...
end
###THIS WILL DELETE THE OLD ACL AND ADD THE NEW ONE###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="off" && $deleteacl=="off"}
config terminal
no access-list $aclname
$update
end
write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="off" && $deleteacl=="off"}
DEBUG:config terminal
DEBUG:no access-list $aclname
DEBUG:$update
DEBUG:end
DEBUG:write memory
#########################################################################
Trigger:
Update Named
Trigger-Description:
Update named access lists.
Trigger-Variables:
$type word
Trigger-Template:
ip access-list [[$type]] $aclname
###THIS WILL DELETE THE OLD ACL AND ADD THE NEW ONE###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="off" && $deleteacl=="off"}
config terminal
no ip access-list $type $aclname
ip access-list $type $aclname
$update
end
write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="off" && $deleteacl=="off"}
DEBUG:config terminal
DEBUG:no ip access-list $type $aclname
DEBUG:ip access-list $type $aclname
DEBUG:$update
DEBUG:end
DEBUG:write memory
###THIS WILL DELETE A SINGLE LINE FROM AN ACL AND RESEQUENCE THE ACL###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="on" && $addline=="off" && $deleteacl=="off"}
config terminal
ip access-list $type $aclname
no $update
ip access-list resequence $aclname 10 10
end
write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="on" && $addline=="off" && $deleteacl=="off"}
DEBUG:config terminal
DEBUG:ip access-list $type $aclname
DEBUG:no $update
DEBUG:ip access-list resequence $aclname 10 10
DEBUG:end
DEBUG:write memory
###THIS WILL ADD LINES TO AN ACL AND RESEQUENCE THE ACL###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="on" && $deleteacl=="off"}
config terminal
ip access-list $type $aclname
$update
ip access-list resequence $aclname 10 10
end
write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="on" && $deleteacl=="off"}
DEBUG:config terminal
DEBUG:ip access-list $type $aclname
DEBUG:$update
DEBUG:ip access-list resequence $aclname 10 10
DEBUG:end
DEBUG:write memory
#########################################################################
Action:
Show ACL
Action-Description:
This action executes the "show access-list" command to
look for the ACL's on the router.
Action-Commands:
show access-list $aclname
Output-Triggers:
Find
########################################################################
Trigger:
Find
Trigger-Description:
Find access list.
Trigger-Template:
IP access list $aclname
Trigger-Commands:
SET: $update = "yes"
show run | include access-group $aclname
show run | include access-group name $aclname
show run | include match ip address $aclname
Output-Triggers:
Verify1
Verify2
Delete
#########################################################################
Trigger:
Verify1
Trigger-Description:
Verify ACL is not applied to an interface.
Trigger-Template:
access-group
Trigger-Commands:
SET: $update = "no"
#########################################################################
Trigger:
Verify2
Trigger-Description:
Verify ACL is not applied to an interface.
Trigger-Template:
match ip address
Trigger-Commands:
SET: $update = "no"
#########################################################################
Trigger:
Delete
Trigger-Description:
Delete numbered access lists.
Trigger-Filter:
$update eq "yes"
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="off" && $deleteacl=="on"}
config terminal
no access-list $aclname
end
write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="off" && $deleteacl=="on"}
DEBUG:config terminal
DEBUG:no access-list $aclname
DEBUG:end
DEBUG:write memory
#########################################################################