Making networks more secure!

Home Projects About

Automated ACL Management

August 22, 2022 - Alex Roland

ACLs, or Access Control Lists, are an important part of a network that consists of more than one LAN. When you only have a couple of routers and/or networks, managing the ACLs might not be that much of a challenge. Of course that entirely depends on the ACL and the environment, which is why I think it is important to automate your ACL management no matter the size of the environment. This way you are setting yourself up to be able to handle an expanding network.

You might be wondering why it would be important to automate ACL management. To start, it just makes life a lot easier when searching through your ACLs. You might get a ticket in from a sysadmin that just spun up a new server and they want access duplicated from another server. This makes sense if say there were requested by the DBAs to add another server to handle some large database project. So instead of manually figuring out what access the other server had, you can just throw the server IP at the ACL script and have it report to you the current network access.

Another reason to automate this process would be the opposite of a new server request. For example, a server is being decommissioned and you wanted to clean up what access that server had. This is important because it maintains a good security posture by closing off unnecessary access to new servers that end up taking the old server's IP address.

Jumping right into it, we will create the basic structure of the script to handle the network connections. One of our goals will be to do a live crawl of our network to get a live snapshot of the ACLs on the network. This can be done using Netmiko to establish the connections to the routers and send the command to list the ACLs and perform a search on them.

from netmiko import ConnectHandler
from getpass import getpass

device = {
	'device_type': 'cisco_ios',
	'ip': '',
	'username': 'admin',
	'password': getpass(),

This post is a work in progress, I will resume writing it shortly...