1 Reply Latest reply on Jan 3, 2017 9:36 AM by jkrenzien

    Remediation Script for ACLs

    jdchaiken

      Hi,

       

      I'm trying to create a remediation script to correct ACLs on cisco devices.  Updating the ACL is pretty easy, but I need to unapply the ACL first, make the change and reapply.  Is there a way to iterate through the config, find the interfaces that have it applied, record that information and perform the change?

       

      For example, something like the following

       

      --SAMPLE CONFIG--

      Interface Tunnel0

      access-group 10 in

       

      Interface Tunnel2

      access-group 10 in

      . . . .

       

      access-list 10 permit 10.10.10.1

      access-list  10 permit 10.20.10.1

      ...

       

       

      --PSEUDO CODE--

       

      @InterfaceList = []

       

      foreach @Line in @interfaces {

           if @Line contains 'access-group 10 in'

                @interfaceList.push(@interfacename)

      }

       

      CLI {

           no access-list 10

           access-list 10 permit 10.10.10.1

           access-list 10 permit 10.20.10.1

           access-list 10 permit 10.30.10.1

      }

       

      foreach @interface in @interfacelist {

           CLI {

                access-group 10 in

           }

      }

        • Re: Remediation Script for ACLs
          jkrenzien

          I don't beleive you can do it in the way you would like to. However if you created a compliance policy looking at the interface config blocks and looking for that ACL you could run the ACL script and then reapply the ACL through remediation (as long as you don't update the complaince policy report in the process).