Using Python Data Frames to Control Access List Configurations in a Network

Simple but powerful example

Introduction

Access Lists (ACL) are an essential part of network security, controlling input and output traffic, but as networks today are becoming more and more granular, nearly reaching user level (where traffic flows are defined per endpoint), the amount of ACLs that a given router must hold becomes increasingly high, and with it the task to manage such configuration becomes herculean.

Using data frames, traffic flows can be configured as a matrix of communication between endpoints, and pandas can be used to process this matrix and produce the resulting ACL configurations for each router.

Sample Network

Lets consider the topology diagram shown below where there are several endpoints distributed across different sites, and connected to each other via a site edge router and a wide area network (WAN).

On the left hand side, there are sites where users connect to, and on the right hand side there are data centers that host applications that users can connect to. This is a typical enterprise set up, where the user sites are offices and the data centers are the servers hosting the applications and data. The connectivity between offices and data centers occurs across the wan network, but ACLs are applied at the edge routers of each site to control traffic flow. The allowed traffic will be defined in a matrix containing entries like this:

(A:B)

This means endpoint A allowed to communicate with endpoint B.

The idea is then to group flows in the matrix by source site and destination site, to get the ACLs that need to be configured in each edge router from a central source of information

ACL Configuration

ACL configuration has to be configured on the edge routers in both directions to allow traffic from source to destination and vice versa. The reason for this is that traffic flows that are not present in the data frame matrix will be denied.

User site edge router configuration example

Data center edge router configuration example

Data Set Overview

Enrich dfFlows with the site data for each endpoint to then be able to group by site

Configuration Templates Using Jinja

Use Data Frame and Jinja Template to Produce Configurations for All Routers in All Sites

  • User Sites Router Configurations
  • Applications Data Center Router Configurations

Final Results

Configurations like the ones below would be produced depending on the combinations defined in the connectivity matrix in data frame dfFlows. Automating the configuration of ACLs in this way can be particularly beneficial to minimize operational work on having to manage such configurations directly on a router. With this approach, the process is fairly straightforward and focus can instead be employed in getting updated information into the respective data frames, so that ACLs are representative of the user and application intent in the network.

Software Engineer. Passionate about networks and distributed systems.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store