DO457 - ch06s04

Access control lists are used in many different situations. You can use them to deny access from sources of known malicious traffic, and to allow access to various services in use, such as SNMP.

In this exercise, you will automate the process of creating and managing an Access Control List (ACL) on IOS devices.

Outcomes

You should be able to:

Add group variables that support template-driven configuration to support a management access ACL.
Update NOS-specific device configuration templates to provide parameterized configuration statements that define a management access ACL.
Perform a play that configures network devices from the updated Jinja2 templates.

Open a terminal window on the workstation VM and change to the ~/proj directory.

Add group variables that support template-driven configuration to support a management access ACL.
1. Create a group_vars/all/ directory if it does not already exist.
```
[student@workstation proj]$ mkdir -p group_vars/all
```
2. Add variables workstation_ipv4 and tower_ipv4 to the group_vars/all/vars.yml file. Create this file if it does not already exist. Edit it to make sure it contains the following contents:
```
workstation_ipv4: 172.25.250.254/24
tower_ipv4: 172.25.250.9/24
```

Update NOS-specific device configuration templates to provide parameterized configuration statements that define a management access ACL.

Add lines to the device configuration Jinja2 template for IOS device configuration. Under IOS, SNMP requires a standard access list, so that is used here. Modify j2/ios-config.j2 to include the following content:

hostname {{ inventory_hostname }}
ip domain-name {{ domain_name }}
{% for nameserver in nameservers %}
ip name-server {{ nameserver }}
{% endfor %}
service timestamps log datetime
service timestamps debug datetime
logging {{ syslog_ipv4 }}
logging trap {{ ios_loglevel }}
access-list 1 permit {{ workstation_ipv4 | ipaddr('address') }} log
access-list 1 permit {{ tower_ipv4 | ipaddr('address') }} log

Perform a play that configures network devices from the updated Jinja2 templates.

Perform the play found in the j2cfg.yml file. Limit it to cs01. You already created playbook j2cfg.yml, which sources configuration statements from the VyOS- and IOS- Jinja2 templates.
```
[student@workstation proj]$ ansible-playbook -l cs01 j2cfg.yml
```

Execute an ad hoc command that verifies that the ACL has been created.

[student@workstation proj]$ ansible -m ios_command \
> -a "commands='sh access-list 1'" cs01
cs01 | SUCCESS => {
    "changed": false,
    "stdout": [
        "Standard IP access list 1\n    20 permit 172.25.250.9 log\n
         10 permit 172.25.250.254 log"
    ],
    "stdout_lines": [
        [
            "Standard IP access list 1",
            "    20 permit 172.25.250.9 log",
            "    10 permit 172.25.250.254 log"
        ]
    ]
}

This concludes the guided exercise.

Discuss Red Hat Ansible for Network Automation

Go to community

Welcome to the Red Hat Ansible for Network Automation (DO457) group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Ansible for Network Automation! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO457.Read more about Red Hat Ansible for Network Automation here.

3120

Revision: do457-2.5-4693601