Mirroring Nexus ACLs In Notepad++

A few months ago I wrote an article that outline a cool use case for Notepad++. The particular scenario outlined the ability to use regular expressions to mirror Cisco ACLs. That article, Using Notepad++ to Mirror Cisco ACLs, is starting point for this article. This article adds the ability to mirror the ACL format found in the Cisco Nexus.

Unlike IOS devices, the Nexus doesn’t use wildcard masks. Instead it uses slash notation. For example.

IOS Format

ip access-list extended inbound
 permit icmp host 192.0.2.1 192.168.1.0 0.0.0.255
 permit udp host 192.0.2.2 host 192.168.1.244 eq www
 permit tcp 192.0.2.0 0.0.0.255 range www 100 any

Nexus Format

ip access-list inbound
 permit icmp 192.0.2.1/32 192.168.1.0/24 log
 permit udp 192.0.2.2/32 192.168.1.244/32 eq www
 permit tcp 192.0.2.0/24 range www 100 any

To match this new format, we really only need to need to match for *.*.*.*/x (where * is 0-255 and x is 0-32). To do this in regex is quite simple.

\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2}

After doing this to the source and destination field, the final string is as follows.

(permit|deny)(\s+[0-9a-zA-Z_-]+)(\s+any|\s+host\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2}|\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\s+eq\s+[0-9a-zA-z_-]+|\s+neq\s+[0-9a-zA-z_-]+|\s+gt\s+[0-9a-zA-z_-]+|\s+lt\s+[0-9a-zA-z_-]+|\s+range\s+[0-9a-zA-z_-]+\s+[0-9a-zA-z_-]+)?(\s+any|\s+host\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2}|\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\s+eq\s+[0-9a-zA-z_-]+|\s+neq\s+[0-9a-zA-z_-]+|\s+gt\s+[0-9a-zA-z_-]+|\s+lt\s+[0-9a-zA-z_-]+|\s+range\s+[0-9a-zA-z_-]+\s+[0-9a-zA-z_-]+)?(.?)

The replace value will remain the same.

$1$2$5$6$3$4$7

I know that is a terse example, but this enables my prior example to work with both IOS and Nexus ACL formats. For more detail how to use this, see Using Notepad++ to Mirror Cisco ACLs.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.