########################################################################
Script:
Change ACL
Script-Description:
This script looks for a specific ACL and makes updates to it.
It can delete a single line or add multiple lines. If more than
one line needs to be deleted it can delete the entire ACL and
add it back with the changes. The default will remove the ACL
and add it back -- to use this option do NOT mark ANY boxes.
By selecting $deleteacl it will check to be
sure the ACL is not in use before deleting it from the device.
This script relies on a set of user input for the operations
to perform, the ACL string to update, and whether debug mode is
enabled or not. It runs in debug mode by default. You must
check the "turnoffdebug" checkbox in the user input form to
have it execute the commands.
Script-Filter:
$Vendor eq "Cisco"
and $sysDescr like /IOS/
Script-Variables:
$deleteline boolean
$addline boolean
$deleteacl boolean
$addacl boolean
$aclname string "Replace this text with the access-list name/number"
$acltype string "For numbered ACLs, replace this text with standard or extended"
$update text "Paste update here. Do not include ACL name/number"
$turnoffdebug boolean
########################################################################
Action:
Show Run
Action-Description:
This action executes the "show run" command to look for the
ACL on the router.
Action-Commands:
show run
Output-Triggers:
Update Numbered
Update Named
########################################################################
Trigger:
Update Numbered
Trigger-Description:
Update numbered access lists. This will delete the old ACL and
add the new, complete ACL.
Trigger-Template:
access-list $aclname .*
...
end
###THIS WILL DELETE THE OLD ACL AND ADD THE NEW ONE - MARK **NO** BOXES###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="off" && $deleteacl=="off" && addacl=="off"}
show access-list $aclname
config terminal
no access-list $aclname
$update
end
write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="off" && $deleteacl=="off" && addacl=="off"}
DEBUG:show access-list $aclname
DEBUG:config terminal
DEBUG:no access-list $aclname
DEBUG:$update
DEBUG:end
DEBUG:write memory
###THIS WILL DELETE A SINGLE LINE FROM AN ACL AND RESEQUENCE THE ACL###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="on" && $addline=="off" && $deleteacl=="off" && addacl=="off"}
show access-list $aclname
config terminal
ip access-list $acltype $aclname
no $update
ip access-list resequence $aclname 10 10
end
write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="on" && $addline=="off" && $deleteacl=="off" && addacl=="off"}
DEBUG:show access-list $aclname
DEBUG:config terminal
DEBUG:ip access-list $acltype $aclname
DEBUG:no $update
DEBUG:ip access-list resequence $aclname 10 10
DEBUG:end
DEBUG:write memory
###THIS WILL ADD LINES TO AN ACL AND RESEQUENCE THE ACL###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="on" && $deleteacl=="off" && addacl=="off"}
show access-list $aclname
config terminal
ip access-list $acltype $aclname
no deny any
$update
deny any
ip access-list resequence $aclname 10 10
end
write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="on" && $deleteacl=="off" && addacl=="off"}
DEBUG:show access-list $aclname
DEBUG:config terminal
DEBUG:ip access-list $acltype $aclname
DEBUG:no deny any
DEBUG:$update
DEBUG:deny any
DEBUG:ip access-list resequence $aclname 10 10
DEBUG:end
DEBUG:write memory
#########################################################################
Trigger:
Update Named
Trigger-Description:
Update named access lists.
Trigger-Variables:
$type word
Trigger-Template:
ip access-list [[$type]] $aclname
###THIS WILL DELETE THE OLD ACL AND ADD THE NEW ONE###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="off" && $deleteacl=="off" && addacl=="off"}
show access-list $aclname
config terminal
no ip access-list $type $aclname
ip access-list $type $aclname
$update
end
write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="off" && $deleteacl=="off" && addacl=="off"}
DEBUG:show access-list $aclname
DEBUG:config terminal
DEBUG:no ip access-list $type $aclname
DEBUG:ip access-list $type $aclname
DEBUG:$update
DEBUG:end
DEBUG:write memory
###THIS WILL DELETE A SINGLE LINE FROM AN ACL AND RESEQUENCE THE ACL###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="on" && $addline=="off" && $deleteacl=="off" && addacl=="off"}
show access-list $aclname
config terminal
ip access-list $type $aclname
no $update
ip access-list resequence $aclname 10 10
end
write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="on" && $addline=="off" && $deleteacl=="off" && addacl=="off"}
DEBUG:show access-list $aclname
DEBUG:config terminal
DEBUG:ip access-list $type $aclname
DEBUG:no $update
DEBUG:ip access-list resequence $aclname 10 10
DEBUG:end
DEBUG:write memory
###THIS WILL ADD LINES TO AN ACL AND RESEQUENCE THE ACL###
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="on" && $deleteacl=="off" && addacl=="off"}
show access-list $aclname
config terminal
ip access-list $type $aclname
no deny any
$update
deny any
ip access-list resequence $aclname 10 10
end
write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="on" && $deleteacl=="off" && addacl=="off"}
DEBUG:show access-list $aclname
DEBUG:config terminal
DEBUG:ip access-list $type $aclname
DEBUG:no deny any
DEBUG:$update
DEBUG:deny any
DEBUG:ip access-list resequence $aclname 10 10
DEBUG:end
DEBUG:write memory
#########################################################################
Action:
Show ACL
Action-Description:
This action executes the "show access-list" command to
look for the ACL's on the router.
Action-Commands:
show access-list $aclname
Output-Triggers:
Find
########################################################################
Trigger:
Find
Trigger-Description:
Find access list.
Trigger-Template:
IP access list $aclname
Trigger-Commands:
SET: $update = "yes"
show run | include access-group $aclname
show run | include access-group name $aclname
show run | include match ip address $aclname
Output-Triggers:
Verify1
Verify2
Delete
Create
#########################################################################
Trigger:
Verify1
Trigger-Description:
Verify ACL is not applied to an interface.
Trigger-Template:
access-group
Trigger-Commands:
SET: $update = "no"
#########################################################################
Trigger:
Verify2
Trigger-Description:
Verify ACL is not applied to an interface.
Trigger-Template:
match ip address
Trigger-Commands:
SET: $update = "no"
#########################################################################
Trigger:
Delete
Trigger-Description:
Delete numbered access lists.
Trigger-Filter:
$update eq "yes"
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="off" && $deleteacl=="on" && addacl=="off"}
show access-list $aclname
config terminal
no access-list $aclname
end
write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="off" && $deleteacl=="on" && addacl=="off"}
DEBUG:show access-list $aclname
DEBUG:config terminal
DEBUG:no access-list $aclname
DEBUG:end
DEBUG:write memory
#########################################################################
Trigger:
Create
Trigger-Description:
Add numbered access list.
Trigger-Filter:
$update eq "yes"
Trigger-Commands:{$turnoffdebug=="on" && $deleteline=="off" && $addline=="off" && $deleteacl=="off" && addacl=="on"}
config terminal
access-list $aclname $update
end
write memory
Trigger-Commands:{$turnoffdebug=="off" && $deleteline=="off" && $addline=="off" && $deleteacl=="off" && addacl=="on"}
DEBUG:config terminal
DEBUG:access-list $aclname $update
DEBUG:end
DEBUG:write memory
#########################################################################
Patrick Voglesang
VP Operations, Netcordia, Inc.
(T) +1 410 266 6161 x309 (M) +1 724 272 1042 (F) +1 410 573 9779
(E) pvogelsang@netcordia.com www.netcordia.com