Generate an ACL from an allow-list
Maintaining firewall ACLs by hand drifts and errs. Render an extended ACL from a list of allowed services, so the policy is data and the device config is generated.
Scenario
The edge router's ACL is a long hand-maintained list that drifts from the intended policy. Make the policy data: a list of allowed service ports, rendered into an extended ACL by a template.
Your job
In template.j2, generate the router config so the ACL WEB_ACL:
- for each rule in
rules, permitstcpto the server on that port - denies everything else (
deny ip any anyat the end)
Use a {% for ... %} loop over rules. Don't hardcode the permits.
Variables (what the template is rendered with)
name:WEB_ACL,server:10.0.2.10rules: ports80and443
What "done" looks like
The rendered ACL permits TCP 80 and 443 to the server and denies anything else (e.g. TCP 22).
Teaches: policy as data: generating device config from an allow-list keeps the intent in one readable place and the device config consistent.
What gets checked
Your solution is verified against each of these:
- The ACL is generated from a template, not hardcoded
- Every listed service port is permitted to the server
- A port not in the list is denied
Solve it in your browser
No setup, no install. Write your solution in the editor and hit Check. The in-house engine renders and grades it instantly, then issues your proof the moment every check passes.
Solve in browser →Prefer your own lab?
- Build the fix locally. New to the tooling? See setting up your lab.
- Push your topology file, device configs, and any playbooks to a public repo (GitHub or GitLab).
- Submit the repo link. We review it by hand, confirm it works, and issue your proof page.