Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1707
Views
5
Helpful
2
Replies

Dynamic ACL spamhaus.org

Go to solution
mixafighter
Level 1
Level 1

‎05-17-2020 07:21 AM - edited ‎05-17-2020 07:29 AM

I have a task: using spamhaus.org and TCL for update access-list. How can I use tcl to add an entry to access-list from a text file? I thought to add a file to the array, but this principle requires the "read" function, unfortunately IOS doesn't have this function. I need full automation from the script: editing a text file for the access-list syntax, adding an entry to the acess-list. Sorry, if this topic was raised before, I didn’t find it.
P.s. I'am talking about a blacklist "drop.txt", where the entry form differs from access-list.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ngkin2010
Level 7
Level 7

‎05-17-2020 09:20 AM - edited ‎05-17-2020 09:24 AM

Hi,

 

I am not so sure what do you mean about "read" function is not supported. I used it in the below scripting, but I didn't try in IOS device.

 

Could you try this:

 

$ cat update_acl.tcl
set fd [open "nvram:/drop.txt" r]
set entries [read $fd]
set entry [split $entries "\n"]

set cmd "ip access-list extended blacklist"
foreach line $entry {
    if {[string length $line] > 0} {
        set ace [append ace "deny ip host " $line " any log"]
        ios_config $cmd $ace
        set ace ""
    }
}
ios_config $cmd "no permit ip any any"
ios_config $cmd "permit ip any any"
ios_config "write memory"
$ cat drop.txt
8.8.8.8
8.8.4.4
1.1.1.1

Upload it to your device

IOU3#copy http://192.168.137.1:8080/update_acl.tcl nvram:/update_acl.tcl
Destination filename [update_acl.tcl]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing http://192.168.137.1:8080/update_acl.tcl...
Loading http://192.168.137.1:8080/update_acl.tcl
412 bytes copied in 0.030 secs (13733 bytes/sec)

Execute it

IOU3#tclsh nvram:/update_acl.tcl
IOU3#
*May 17 16:17:46.371: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.373: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.373: %SYS-5-CONFIG_I: Configured from console by vty0
IOU3#

Verify it:

IOU3#show access-list
Extended IP access list blacklist
    20 deny ip host 8.8.8.8 any log
    40 deny ip host 8.8.4.4 any log
    50 deny ip host 1.1.1.1 any log
    60 permit ip any any

 

** WARNING: This automation is vulnerable to command injection, you must have to refine the coding to resolve the vulnerability. **

View solution in original post

2 Replies 2

Go to solution
ngkin2010
Level 7
Level 7

‎05-17-2020 09:20 AM - edited ‎05-17-2020 09:24 AM

Hi,

 

I am not so sure what do you mean about "read" function is not supported. I used it in the below scripting, but I didn't try in IOS device.

 

Could you try this:

 

$ cat update_acl.tcl
set fd [open "nvram:/drop.txt" r]
set entries [read $fd]
set entry [split $entries "\n"]

set cmd "ip access-list extended blacklist"
foreach line $entry {
    if {[string length $line] > 0} {
        set ace [append ace "deny ip host " $line " any log"]
        ios_config $cmd $ace
        set ace ""
    }
}
ios_config $cmd "no permit ip any any"
ios_config $cmd "permit ip any any"
ios_config "write memory"
$ cat drop.txt
8.8.8.8
8.8.4.4
1.1.1.1

Upload it to your device

IOU3#copy http://192.168.137.1:8080/update_acl.tcl nvram:/update_acl.tcl
Destination filename [update_acl.tcl]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing http://192.168.137.1:8080/update_acl.tcl...
Loading http://192.168.137.1:8080/update_acl.tcl
412 bytes copied in 0.030 secs (13733 bytes/sec)

Execute it

IOU3#tclsh nvram:/update_acl.tcl
IOU3#
*May 17 16:17:46.371: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.373: %SYS-5-CONFIG_I: Configured from console by vty0
*May 17 16:17:46.373: %SYS-5-CONFIG_I: Configured from console by vty0
IOU3#

Verify it:

IOU3#show access-list
Extended IP access list blacklist
    20 deny ip host 8.8.8.8 any log
    40 deny ip host 8.8.4.4 any log
    50 deny ip host 1.1.1.1 any log
    60 permit ip any any

 

** WARNING: This automation is vulnerable to command injection, you must have to refine the coding to resolve the vulnerability. **

Go to solution
marce1000
VIP
VIP

‎05-17-2020 09:52 AM

 

  - If  you are looking for those kind of solutions then you'd better look into firewall-application-appliances which can offer such solutions in a much more automated and flexible manner.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful
Customers Also Viewed These Support Documents