During my research of the ACL module of OnePK I found some interesting behaviors. I think this feature isn’t fully cooked as it has some definite room for improvement. The ACL module (found in
onep.policy) doesn’t have a way to interact with existing ACLs and ACEs on an IOS device. The ACLs seem to be intended for on-the-fly ACL configuration but with a couple caveats:
- Applying an ACL to an interface overwrites the existing ACL for that direction. Interfaces must play by the rule: ‘One ACL per direction’.
- Make sure to use
OnepLifetime.ONEP_PERSISTENTto keep ACLs applied after the OneP session is disconnected.
First I’ll cover ACL management with OneP, and then I’ll use the
onep.vty module to show how to workaround some of the shortcomings.