1 Reply Latest reply on Jul 9, 2015 11:41 AM by levi

    How can I update ACL's to DENY blocked IP Subnets via some form of automation or scripting?

    tincg_cw New Member

      We are using NV4430 routers as our perimeter Internet routers.  We are in the process of implementing more advanced IDS scanning internally using some 3rd party open source products.  We would like to be able to write some sort of automatic way we can update our DENY IP ACLs on our WAN interface to limit access from blacklisted subnets or even specific regions of high threat values.  Currently our need is to only run this update on a weekly basis which I believe would be accomplished using the scheduler, but I need help with creating the DENY script.

       

      I've come across TCL Scripting a few times in Adtran documents that I've read, but haven't had much need to this point in using.  Is this the suggested method?  If so, does anyone have any code snippets of how to best implement?

       

      If my input is text file with the Deny IPs, any suggestions on how to get from an input list of denied subnets to a fully implemented/modified ACL on the NV4430?

       

      Thanks,

       

      Chad

        • Re: How can I update ACL's to DENY blocked IP Subnets via some form of automation or scripting?
          levi Employee

          tincg_cw:

           

          Thank you for asking this question in the support community forum.  The solution to "dynamically" adding entries to an ACL, is not very dynamic.  Whether you use a schedule/TCL script, or manually update the ACL entries, you are still manually/statically updating the deny list to be added to the configuration.  My recommendation would be to simply add/remove the new entries via copy/paste directly to the CLI for each update.  Here is an example that you could copy and paste directly into the CLI (remove a previous entry "host 1.1.1.1" and add a new entry "host 2.2.2.2"):

           

          configure terminal

          ip access-list extended NAME-DENY-LIST

          no permit ip host 1.1.1.1 any

          permit ip host 2.2.2.2 any

          end

          write

           

          I hope that makes sense, but please do not hesitate to reply to this post with any additional questions or information.  I will be happy to help in any way I can.

           

          Levi