Re: Changing ACLs and creating VPN configuration

No problem, sorry for the delay oddly enough things have been a bit hectic since the evaluation was succesful Thanks to Solarwinds Support for the help with this;

One gotcha is, for some reason the NCM scheduled tasks had not run, so the inventory task against the node had not pulled back the details about teh interfaces on the node and the script was failing as NCM had no record of the VLAN1 interface, the solution was to run an inventory manually and ensure the scheduled task setup to run over night was enabled.

To run an inventory manually, log onto the NCM web portal, goto 'Configs - Inventory', under inventory reports select "interfaces" and then click 'Update Inventory'

The following script requests an IP address from the user, then uses that to build a route statement to the script;

script BaseChangeTemplate(NCM.Nodes @ContextNode, string @ADSL_Router)

{

    string @newVlanIP = '' //changed

    foreach (@interfaceItem in @ContextNode.Interfaces)

    {

     if (@interfaceItem.InterfaceDescription contains 'VLAN1')

     {

         foreach(@ip in @interfaceItem.IpAddresses)

         {

             @newVlanIP = setoctet(@ip.IPAddress,4,0)

         }

      }

  }

if(@newVlanIP != '') // added it

{

    CLI

    {

      conf t

      no access-list 100

      access-list 100 deny   ip @newVlanIP 0.0.0.255 192.168.1.0 0.0.0.255

      access-list 100 permit ip @newVlanIP 0.0.0.255 any

      !

      no access-list 105

      access-list 105 permit ip @newVlanIP 0.0.0.255 192.168.1.0 0.0.0.255

      !

      no access-list 104

      access-list 104 permit ip @newVlanIP 0.0.0.255 host 8.8.8.8

      access-list 104 deny ip any any

      !

      ip route 9.9.9.9 255.255.255.255 @ADSL_Router

      !

      snmp-server  contact V0.6

      exit

    }

  }

}

If VLAN 1 IP address is 192.168.1.18 and the user inputted 82.82.82.82 as the router address the above script would generate;

      conf t

      no access-list 100

      access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

      access-list 100 permit ip 192.168.1.0 0.0.0.255 any

      !

      no access-list 105

      access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

      !

      no access-list 104

      access-list 104 permit ip 192.168.1.0 0.0.0.255 host 8.8.8.8

      access-list 104 deny ip any any

      !

      ip route 9.9.9.9 255.255.255.255 82.82.82.82

      !

      snmp-server  contact V0.6

      exit

I suspect the script would fail if an interface had more than one IP address however for the devices this script is used again't this is not an issue as that interface has no secondary IP addresses.