Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Dynamic ACL for cisco router to cut SPAM

Hi all.

We can find lists of blacklisted IPs on internet like this
How to make cisco router create an access-list with a content taken from the resource above and prevent any traffic towards my network from those IPs?

Any other ideas to overcome that?

Everyone's tags (3)

Dynamic ACL for cisco router to cut SPAM

That's a long list of IPs, implementing it in an ACL with host entries would be challenging.

Anway, the first step for you would be to write a script that parses that data and makes an ACL out of it and stores that on a server. Then nightly a script could run that uploads the new ACL, you could use a tool like RANCID or Kiwi Cattools to help with this or write an Expect or PERL script.

Be careful when editing the ACL or you could lose traffic while it gets updated. It might be better to do something like:

conf t

ip access-list extended NEW_ACL

deny ip host x.x.x.x any

deny ip host y.y.y.y any

interface x/x

no ip access-group OLD_ACL in/out

ip access-group NEW_ACL in/out

There is also the possibility of downloading ACL from TFTP server to the running-config. I guess this could be automated with EEM as well and a timer that runs.

That should give you some ideas to get started. I also found this script called aclmaker which was written by someone to update ACLs.

Daniel Dib
CCIE #37149

Daniel Dib CCIE #37149 Please rate helpful posts.
CreatePlease to create content