Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable
‎05-26-2015 09:14 PM

How can I update ACL's to DENY blocked IP Subnets via some form of automation or scripting?

We are using NV4430 routers as our perimeter Internet routers.  We are in the process of implementing more advanced IDS scanning internally using some 3rd party open source products.  We would like to be able to write some sort of automatic way we can update our DENY IP ACLs on our WAN interface to limit access from blacklisted subnets or even specific regions of high threat values.  Currently our need is to only run this update on a weekly basis which I believe would be accomplished using the scheduler, but I need help with creating the DENY script.

I've come across TCL Scripting a few times in Adtran documents that I've read, but haven't had much need to this point in using.  Is this the suggested method?  If so, does anyone have any code snippets of how to best implement?

If my input is text file with the Deny IPs, any suggestions on how to get from an input list of denied subnets to a fully implemented/modified ACL on the NV4430?

Thanks,

Chad

0 Kudos
Reply
1 Reply
Anonymous
Not applicable
‎07-09-2015 01:41 PM

Re: How can I update ACL's to DENY blocked IP Subnets via some form of automation or scripting?

tincg_cw‌:

Thank you for asking this question in the support community forum.  The solution to "dynamically" adding entries to an ACL, is not very dynamic.  Whether you use a schedule/TCL script, or manually update the ACL entries, you are still manually/statically updating the deny list to be added to the configuration.  My recommendation would be to simply add/remove the new entries via copy/paste directly to the CLI for each update.  Here is an example that you could copy and paste directly into the CLI (remove a previous entry "host 1.1.1.1" and add a new entry "host 2.2.2.2"):

configure terminal

ip access-list extended NAME-DENY-LIST

no permit ip host 1.1.1.1 any

permit ip host 2.2.2.2 any

end

write

I hope that makes sense, but please do not hesitate to reply to this post with any additional questions or information.  I will be happy to help in any way I can.

Levi

0 Kudos
Accept as Solution Reply