Skip to content
/ ios_check_acls Public

An Ansible network function role that allows users to validate whether src/dst IP tuples are permitted by IOS acls

License

GPL-3.0 license
7 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

termlen0/ios_check_acls

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
library
library
 
 
meta
meta
 
 
parser_templates/cli
parser_templates/cli
 
 
tasks
tasks
 
 
templates
templates
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

What this role does

A typical automation use case is to validate whether access-lists are open between a given source and destination IP tuple. This demo uses a role to solve this.

  • Checks for subnets
  • Checks for "any"
  • Checks for "tcp" and "udp" being subsets of IP

How to use

---
- name: TEST THE IOS ROLE
  hosts: all
  connection: network_cli
  gather_facts: no

  tasks:

    - include_role:
        name: ios_check_acls
      vars:
        protocol: 'udp'
        action: 'deny'
        src_network: '10.1.1.2'
        src_mask: '255.255.255.255'
        dst_network: '172.17.33.128'
        dst_mask: '255.255.255.128'
        dst_port: '2222'

ansible-playbook -i inventory check_access.yaml

To do:

  • Check for variables
  • Add role dependencies
  • Ensure module dependency (netaddr) is installed
  • Add code to validate source port and range of ports
  • Handle devices that do not have acls configured on them (fail gracefully)

About

An Ansible network function role that allows users to validate whether src/dst IP tuples are permitted by IOS acls

Resources

Readme

License

GPL-3.0 license
Activity

Stars

7 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages