Better support for ACL manipulation in NCM

cvachovecj

Version 7.1 of SolarWinds Network Configuration Manager brings a few enhancements of the scripting language for Config Change Templates (CCT). (For all new features of NCM 7.1, please see .) This new functionality is especially useful for access-control list (ACL) creation. In this blog post, we provide a commented example of a CCT that adds ACL entries for routers located in different branches of the company. Although the structure of the entries is the same for all branches, the IP addresses in the ACL statements depend on the subnet, which differs for every office.

How to Create a Config Change Template

When you want to create a brand new CCT, click on 'Create New Config Change Template' on the Config Change Templates page:

You will be redirected to the page where you enter all necessary details -- name, description, tags, and, most importantly, the script itself:

As you can see, a CCT consists of parameter section and script body. The @ContextNode parameter is mandatory for each CCT. For more details about CCT language see Understanding Config Change Template Semantics in NCM Admin Guide.

ACL Entries for Routers in Different Offices

Assume the company has a lot of branches and there is a router for each branch. Their IP addresses have the form 10.20.[branch#].40. Now we want to add two ACL statements to device configuration across the company with a single CCT run. The third octet of each device IP address equals branch# as a rule. (This is a simplified version of a real customer situation. Imagine there are hundreds of routers and more complex conditions and you get the real case.)

Except for @ContextNode, the CCT will have another parameter -- the 'template' of router IP address (called @ipTemplate). In the ACL statements that will be passed to each device, the third octet of this template IP address will be replaced with the third octet of the IP address of the device.

The CCT code:

script ChangeACL(NCM.Nodes @ContextNode, string @ipTemplate )           Header

string @octet = getoctet(@ContextNode.AgentIP,3)                        Extract 3rd octet of device IP -- this is branch#.

string @ipnew = setoctet(@ipTemplate, 3,@octet)                        Take the template IP and replace the 3rd octet.

CLI                                                                     Beginning of CLI statements

{

     Allow @ipnew out                                                   First ACL statement

     Allow @ipnew UDP 2055 OUT                                          Second ACL statement

}

When you run the CCT, you will get something like

The complete CCT is attached (at the bottom).

Overview of New String Manipulation Functions

This is for your reference. The following functions are now available:

• string SubString(string str, int startIndex, int length)
  Retrieves a substring from this instance. The substring starts at a specified character position and has a specified length.

• int StrLength(string str)
  Return the length of the string.
• int IndexOf(string str, string search)
  Reports the index of the first occurence of the specified substring in the string.
• string GetOctet(string ipAddress, int octetPosition)
  Retrieve octet from an IP address at the specified position.
• string SetOctet(string ipAddr, int octetPosition, string octet)
  Replace specified octet in IP address.
  

Recommended Further Reading: SolarWinds Firewall Security Manager

While you can create your ACL statements in bulk with NCM, SolarWinds has recently introduced its Firewall Security Manager (FSM), that you can use (among others) to check the newly deployed ACL changes e.g. before they go to production. Details can be found in .

Define ACL entries for branch routers.ncm-template