Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Automate ACL changes nightly (Whitelisting)

Hello,

We are looking for a way to automate ACL changes for incoming IPs. We are currently allowing certain IP's at the application layer, but would like to move this to the router. We would like it to be automatic every night when we update our database with allowed IP's.

I have found no way to do this.

Any help would be appreciated.

7 REPLIES
Hall of Fame Super Silver

Re: Automate ACL changes nightly (Whitelisting)

Hello Tahir,

you could try to implement a TCL/TK script using Expect library.

for more safety you should use two ACLs:

day N you are using ACL A you modify ACL B and then you apply ACL B to the router inteface

day N+1 you are using aCL B and you modify ACL and then you apply ACL A to the router interface.

see

http://www.activestate.com/activetcl/

and

http://expect.nist.gov/

there are whole books about using expect with TCL/TK

active state should have a port of expect library since TCL 8.4.x (current 8.5)

the script can run on Windows PC or linux or other unix o.s. at scheduled times access the router implement ACLs apply them to the router interface and then exit

the language can access files in the local HD or via network to load the new white list

Hope to help

Giuseppe

New Member

Re: Automate ACL changes nightly (Whitelisting)

Thank you very much!

I am surprised there is no ios command, maybe in the future.

We will try this approach.

Re: Automate ACL changes nightly (Whitelisting)

Hi,

You will need to apply Lock & Key (Dynamic Access-list), please have a look at the bellow link:

http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml

By the way, thanks for the reminding..

HTH

Mohamed

New Member

Re: Automate ACL changes nightly (Whitelisting)

Mohamed,

We looked into that, but it is not automated, as far as I could tell, a user has to connect first.

We are looking to pull from a DB, CSV, or something else on a regular basis to allow incoming IP's.

Thank you though

Hall of Fame Super Blue

Re: Automate ACL changes nightly (Whitelisting)

Tahir

As Giuseppe said you should look to use a script that can automatically log into your routers/switches and make the necessary changes.

Have a look at this page which gives a number of tools that can be used for this purpose -

http://sourceforge.net/search/?type_of_search=soft&words=cisco

They either use Perl or TCL. Both these languages have binaries that can be downloaded at www.activestate.com

Jon

New Member

Re: Automate ACL changes nightly (Whitelisting)

Thank you very much!

I am surprised there is no ios command, maybe in the future.

We will try this approach.

Hall of Fame Super Gold

Re: Automate ACL changes nightly (Whitelisting)

Hi,

you can use time-based ACL:

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/timerang.html

Hope this helps, please rate post if it does!

1022
Views
8
Helpful
7
Replies
CreatePlease login to create content