Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1446
Views
0
Helpful
7
Replies

How to dynamically add IPs of an FQDN to an ACL of a CISCO RTR (6300)

Go to solution
Grandpoobah
Level 1
Level 1

‎01-04-2022 07:36 AM

Hi all, 

 

 Is there a way to dynamically add IPs derived from an FQDN to an ACL of a CISCO 6300 RTR (updating it with new IPs while retaining any old / pre-existing IPs)?   Unfortunately, I'm  unable to obtain an exhaustive list of IPs for this FQDN, which are periodically changed and then blocked by my  ACL, thus my dilemma.  

 

Thanks

    

GPBH

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to Grandpoobah

‎01-04-2022 01:16 PM

Hello,

 

on which device is the FQDN query executed ?

View solution in original post

0 Helpful
7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-04-2022 08:21 AM

Not sure i have understand the question correctly, you looking the limitation or changing from old IP to new IP ?

 

check below may help you :

https://community.cisco.com/t5/security-documents/using-hostnames-dns-in-access-lists-configuration-steps-caveats/ta-p/3123480

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Grandpoobah
Level 1
Level 1
In response to balaji.bandi

‎01-04-2022 08:54 AM

Thank you very much balaji, 

 

I managed to google this a couple of weeks ago, but noticed the post was in reference to an ASA, which my 6300 is not configured as.   Since my 6300 is running IOS XE firmware 17.X , I was told a portion of the CLI syntax referenced would be incompatible.     

 

I'm a novice, so any additional input / direction / suggestions would be greatly appreciated.

 

Thanks

GPBH

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎01-04-2022 09:02 AM

Hello,

 

I guess a simple EEM script that periodically pings the FQDN, and then parses the output to a new entry in the access list should work.

 

How often does the IP address change ?

 

I'll test the script and get back with you...

0 Helpful

Go to solution
Grandpoobah
Level 1
Level 1
In response to Georg Pauwen

‎01-04-2022 09:40 AM

Thank you very much for your time and assistance! I've never heard of an
EEM scThey appear to change on a weekly/bi-weekly basis. A DNS query is
performed on the FQDN and it generally forwards 3 or 4 different IPs in the
DNS response /answer which need to be used.

So I'm not sure if pinging the FQDN will suffice.

Thanks again for taking the time to help me out.

GPBH


0 Helpful

Go to solution
Grandpoobah
Level 1
Level 1
In response to Grandpoobah

‎01-04-2022 10:00 AM - edited ‎01-04-2022 12:25 PM

I believe I have a linux command that should be able to obtain IPs dervied from the FQDN ->  dig some.FQDN.com | egrep ^sip | awk '{ print $5 }' | xargs -n1 -I{} iptables -A INPUT -s {} -j ACCEPT     but adding the new IPs to the current ACL without purging the old/pre-existing IPs is a different story and what I need to figure out.   

 
If someone can help me solve that issue, or has an alternate method of dynamically updating an ACL with the IPs retrieved in a DNS response/answer, I'd greatly appreciate it. 
 
thanks
 
GPBH
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Grandpoobah

‎01-04-2022 01:16 PM

Hello,

 

on which device is the FQDN query executed ?

0 Helpful

Go to solution
Grandpoobah
Level 1
Level 1
In response to Georg Pauwen

‎01-05-2022 06:05 AM - edited ‎01-05-2022 07:11 AM

Thanks Georg - The device performing the DNS query is a managed linux server, but if it's a task that can be assumed by the 6300 RTR via TCL + EEM, that would be the preferred method.    Unfortunately, I've never created / touched either (TCL/EEM), so any assistance with this would be greatly appreciated  

 

GPBH

0 Helpful
Customers Also Viewed These Support Documents