Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2507
Views
8
Helpful
7
Replies

Automate ACL changes nightly (Whitelisting)

t.khan
Level 1
Level 1

‎01-27-2009 07:24 AM - edited ‎03-04-2019 12:59 AM

Hello,

We are looking for a way to automate ACL changes for incoming IPs. We are currently allowing certain IP's at the application layer, but would like to move this to the router. We would like it to be automatic every night when we update our database with allowed IP's.

I have found no way to do this.

Any help would be appreciated.

Labels:
0 Helpful
7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-27-2009 08:18 AM

Hello Tahir,

you could try to implement a TCL/TK script using Expect library.

for more safety you should use two ACLs:

day N you are using ACL A you modify ACL B and then you apply ACL B to the router inteface

day N+1 you are using aCL B and you modify ACL and then you apply ACL A to the router interface.

see

http://www.activestate.com/activetcl/

and

http://expect.nist.gov/

there are whole books about using expect with TCL/TK

active state should have a port of expect library since TCL 8.4.x (current 8.5)

the script can run on Windows PC or linux or other unix o.s. at scheduled times access the router implement ACLs apply them to the router interface and then exit

the language can access files in the local HD or via network to load the new white list

Hope to help

Giuseppe

t.khan
Level 1
Level 1
In response to Giuseppe Larosa

‎01-27-2009 10:00 AM

Thank you very much!

I am surprised there is no ios command, maybe in the future.

We will try this approach.

0 Helpful

Mohamed Sobair
Level 7
Level 7

‎01-27-2009 09:14 AM

Hi,

You will need to apply Lock & Key (Dynamic Access-list), please have a look at the bellow link:

http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml

By the way, thanks for the reminding..

HTH

Mohamed

0 Helpful

t.khan
Level 1
Level 1
In response to Mohamed Sobair

‎01-27-2009 09:43 AM

Mohamed,

We looked into that, but it is not automated, as far as I could tell, a user has to connect first.

We are looking to pull from a DB, CSV, or something else on a regular basis to allow incoming IP's.

Thank you though

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to t.khan

‎01-27-2009 09:51 AM

Tahir

As Giuseppe said you should look to use a script that can automatically log into your routers/switches and make the necessary changes.

Have a look at this page which gives a number of tools that can be used for this purpose -

http://sourceforge.net/search/?type_of_search=soft&words=cisco

They either use Perl or TCL. Both these languages have binaries that can be downloaded at www.activestate.com

Jon

t.khan
Level 1
Level 1
In response to Jon Marshall

‎01-27-2009 10:01 AM

Thank you very much!

I am surprised there is no ios command, maybe in the future.

We will try this approach.

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame

‎01-27-2009 09:46 AM

Hi,

you can use time-based ACL:

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/timerang.html

Hope this helps, please rate post if it does!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card