cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2267
Views
8
Helpful
7
Replies

Automate ACL changes nightly (Whitelisting)

t.khan
Level 1
Level 1

Hello,

We are looking for a way to automate ACL changes for incoming IPs. We are currently allowing certain IP's at the application layer, but would like to move this to the router. We would like it to be automatic every night when we update our database with allowed IP's.

I have found no way to do this.

Any help would be appreciated.

7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Tahir,

you could try to implement a TCL/TK script using Expect library.

for more safety you should use two ACLs:

day N you are using ACL A you modify ACL B and then you apply ACL B to the router inteface

day N+1 you are using aCL B and you modify ACL and then you apply ACL A to the router interface.

see

http://www.activestate.com/activetcl/

and

http://expect.nist.gov/

there are whole books about using expect with TCL/TK

active state should have a port of expect library since TCL 8.4.x (current 8.5)

the script can run on Windows PC or linux or other unix o.s. at scheduled times access the router implement ACLs apply them to the router interface and then exit

the language can access files in the local HD or via network to load the new white list

Hope to help

Giuseppe

Thank you very much!

I am surprised there is no ios command, maybe in the future.

We will try this approach.

Mohamed Sobair
Level 7
Level 7

Hi,

You will need to apply Lock & Key (Dynamic Access-list), please have a look at the bellow link:

http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml

By the way, thanks for the reminding..

HTH

Mohamed

Mohamed,

We looked into that, but it is not automated, as far as I could tell, a user has to connect first.

We are looking to pull from a DB, CSV, or something else on a regular basis to allow incoming IP's.

Thank you though

Tahir

As Giuseppe said you should look to use a script that can automatically log into your routers/switches and make the necessary changes.

Have a look at this page which gives a number of tools that can be used for this purpose -

http://sourceforge.net/search/?type_of_search=soft&words=cisco

They either use Perl or TCL. Both these languages have binaries that can be downloaded at www.activestate.com

Jon

Thank you very much!

I am surprised there is no ios command, maybe in the future.

We will try this approach.

paolo bevilacqua
Hall of Fame
Hall of Fame

Hi,

you can use time-based ACL:

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/timerang.html

Hope this helps, please rate post if it does!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: