Automate ACL changes nightly (Whitelisting)

Unanswered Question
Jan 27th, 2009
User Badges:

Hello,

We are looking for a way to automate ACL changes for incoming IPs. We are currently allowing certain IP's at the application layer, but would like to move this to the router. We would like it to be automatic every night when we update our database with allowed IP's.

I have found no way to do this.

Any help would be appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Giuseppe Larosa Tue, 01/27/2009 - 08:18
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Tahir,

you could try to implement a TCL/TK script using Expect library.


for more safety you should use two ACLs:

day N you are using ACL A you modify ACL B and then you apply ACL B to the router inteface

day N+1 you are using aCL B and you modify ACL and then you apply ACL A to the router interface.


see


http://www.activestate.com/activetcl/


and


http://expect.nist.gov/


there are whole books about using expect with TCL/TK

active state should have a port of expect library since TCL 8.4.x (current 8.5)


the script can run on Windows PC or linux or other unix o.s. at scheduled times access the router implement ACLs apply them to the router interface and then exit

the language can access files in the local HD or via network to load the new white list


Hope to help

Giuseppe


t.khan Tue, 01/27/2009 - 10:00
User Badges:

Thank you very much!


I am surprised there is no ios command, maybe in the future.


We will try this approach.

t.khan Tue, 01/27/2009 - 09:43
User Badges:

Mohamed,

We looked into that, but it is not automated, as far as I could tell, a user has to connect first.

We are looking to pull from a DB, CSV, or something else on a regular basis to allow incoming IP's.


Thank you though


Jon Marshall Tue, 01/27/2009 - 09:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tahir


As Giuseppe said you should look to use a script that can automatically log into your routers/switches and make the necessary changes.


Have a look at this page which gives a number of tools that can be used for this purpose -


http://sourceforge.net/search/?type_of_search=soft&words=cisco


They either use Perl or TCL. Both these languages have binaries that can be downloaded at www.activestate.com


Jon

t.khan Tue, 01/27/2009 - 10:01
User Badges:

Thank you very much!


I am surprised there is no ios command, maybe in the future.


We will try this approach.

Actions

This Discussion