Cisco Script CLI listener

Hmm..  So let me get this straight.  You want to find any occurrence of 192.168.0.100 and replace it with 192.168.0.101.   I think you're first problem is using scripting vs. Compliance Manager, but we'll get back to that in a bit.

I can see several problems with doing this.   For instance, lets say you had following instances of this in your config.

logging host 192.168.0.100

!

access-list 1 permit tcp any any eq ssh

access-list 1 permit ip any host 192.168.0.100

access-list 1 deny ip any any

!

ip access-list extended foobar

permit ip any host 10.1.1.1

permit ip any host 192.168.0.100

deny tcp any any eq ssh

!

interface FastEthernet0/0.10

encapsulation dot1q 10

ip address 192.168.0.100

ip access-group public_acl in

!

So, the first line could be pretty easy.   Just do a "logging host 192.168.0.101" as the substitution pattern right?   But then you'll end up with two logging hosts, both 192.168.0.100 AND 192.168.0.101.   So, you could do a "no logging host 192.168.0.100" first maybe?   That can cause other problems though.

The numbered access-list for instance.   If you just do a "access-list 1 permit ip any host 192.168.0.101", you would be adding this line to the ACL at the end, AFTER all the traffic was denied by the line that would now be above it.   Ok, so lets do a "no ip access-list 1" and do the permit with the new IP.  Problem here is you've destroyed the rest of the ACL.

The named ACL will have similar problems.  But first you'd have to even figure out that it was a named ACL to do a no on it.

The interface is another problem, first you would have to figure out that its part of the interface.  If you remove the sub-interface, it would lose the encapsulation and the access-group.

So, a few quick examples I came up with that would make this very difficult to work.

You're better off using Compliance Rules.   With that you can look for things you don't want, like the IP on an interface, or as a logging host, and through the use of multiple rules and remediation scripts (which are MUCH easier to write than what you were working with), fix the problem and have it conform the way you want...

I'd recommend you go look at them and post any additional questions here! 

HTH!

Hi Craig, Thanks for your answer. I will be more precise, We're actually migrating the IP address of a poller and adding two more.

What I want is not having to go in our 300 appliances to change the configs.

- The access lists only have permits

- Some appliances have snmp v3, others have snmp v2 and some of the snmp v3 dont support encryptions as strong as the others

- we have ios, nxos, firewalls, wlc

I still thank you for your answer because I  might have used this script in other things and I now know that it's a bad idea but I still think it's doable in this case because nothing harmfull can happen.

I'm honestly not sure of how to add an IP address based on another line with Compliance Rule.

I'm sorry I should have been more specific,

Someone

Hmm...  There are a couple discussions that are quite good that you might want to read through.  The first is this, but I should warn you that while the discussion is good, the solution doesn't work in all cases!!

Automated Config clean up​

I did finally figure out a solution that works in all cases in this discussion though.

Filtering for incorrect logging hosts

HTH!