cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Adding a dynamic ACE to an extended ACL

FaisalAlBandar
Beginner
Beginner

(Please note that all I.P addresses, hostnames, FQDN, etc. mentioned in this post are imaginary)

 

Hello,

 

I wanted to block the domain www.bad-website.com from my network, so I created an ACL like so:

 

myRouter(config)#ip access-list extended NO-BAD

myRouter(config-ext-nacl)#10 deny ip any host www.bad-website.com

myRouter(config-ext-nacl)#20 permit ip any any

myRouter(config-ext-nacl)#end

 

The result is this:

 

myRouter#sh ip access-lists NO-BAD

Extended IP access list NO-BAD

10 deny ip any host 1.2.3.4

20 permit ip any any

 

Where 1.2.3.4 is the DNS query result for www.bad-website.com. The problem is, the owner of this website has a lot of IP addresses at his disposal, and the DNS query returns a different IP every time. I want to block all those IP's, and not just 1.2.3.4. Is it possible to add a dynamic entry to an ACL that will automatically filter all addresses associated with a certain FQDN?

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

luis_cordova
VIP Advisor VIP Advisor
VIP Advisor
2 REPLIES 2

luis_cordova
VIP Advisor VIP Advisor
VIP Advisor

Hi @FaisalAlBandar,

 

Check this discussion of the community:

https://community.cisco.com/t5/switching/block-certain-websites-from-the-router/td-p/1756333

 

I hope can help you.

 

Regards

Thanks a lot. I expected that I would need a different kind of solution to achieve this result. Your reply is much appreciated.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: