We are using NV4430 routers as our perimeter Internet routers. We are in the process of implementing more advanced IDS scanning internally using some 3rd party open source products. We would like to be able to write some sort of automatic way we can update our DENY IP ACLs on our WAN interface to limit access from blacklisted subnets or even specific regions of high threat values. Currently our need is to only run this update on a weekly basis which I believe would be accomplished using the scheduler, but I need help with creating the DENY script.
I've come across TCL Scripting a few times in Adtran documents that I've read, but haven't had much need to this point in using. Is this the suggested method? If so, does anyone have any code snippets of how to best implement?
If my input is text file with the Deny IPs, any suggestions on how to get from an input list of denied subnets to a fully implemented/modified ACL on the NV4430?
Thanks,
Chad
tincg_cw:
Thank you for asking this question in the support community forum. The solution to "dynamically" adding entries to an ACL, is not very dynamic. Whether you use a schedule/TCL script, or manually update the ACL entries, you are still manually/statically updating the deny list to be added to the configuration. My recommendation would be to simply add/remove the new entries via copy/paste directly to the CLI for each update. Here is an example that you could copy and paste directly into the CLI (remove a previous entry "host 1.1.1.1" and add a new entry "host 2.2.2.2"):
configure terminal
ip access-list extended NAME-DENY-LIST
no permit ip host 1.1.1.1 any
permit ip host 2.2.2.2 any
end
write
I hope that makes sense, but please do not hesitate to reply to this post with any additional questions or information. I will be happy to help in any way I can.
Levi