Note |
---|
The solution uses WalledGarden type ACL/IP rules, based on fixed defined IP host addresses and large open subnets for external service usage. This solution is not fully valid with WalledGarden functionality based on domain names, it partly replaces it. Due to dynamic IP address-assigning to external services provided by WalledGarden (not static IP addresses), some information may become unavailable and may restrict functions. Therefore, it needs to regularly supervise list of ACL IP addresses and subnets and record all changes to it. |
Setting
To achieve proper functionalities, you need to define a preACL list of allowed IP addresses. Allowed IP addresses have to be reachable by the system without any authentication. Cisco does not support DNS WalletGarden DNS Walled Garden so far. In the tab below there are defined a list of needed IP addresses and subnets for every service.
SOCIFI | SOCIFI's CDN | Google | Facebook | Twitter |
---|
54.246.88.74 / 255.255.255.255 54.204.47.201 / 255.255.255.255 54.251.110.178 / 255.255.255.255 54.232.124.137 / 255.255.255.25552.51.203.246 / 255.255.255.255 52.44.151.156 / 255.255.255.255 52.74.234.61 / 255.255.255.255 52.67.138.213 / 255.255.255.255 | 13.32.0.0 / 255.254.0.0 52.84.0.0 / 255.254.0.0 52.222.128.0 / 255.255.128.0 |
0. 2550 2550 2550 2550 2550 2550 2550 2550 2550 2550 2550 2550 2550 2550 2550 255 255.255.224.0 | 216.239.32.0 / 255.255.224.0 64.233.160.0 / 255.255.224.0 66.249. |
80240224.0 72.14.192.0 / 255.255.192.0 209.85.128.0 / 255.255.128.0 66.102.0.0 / 255.255.240.0 74.125.0.0 / 255.255.0.0 64.18.0.0 / 255.255.240.0 207.126.144.0 / 255.255.240.0 173.194.0.0 / 255.255.0.0 216.58.192. |
0 255 108.177.8.0 / 255.255.248.0 |
172.217.0.0 / 255.255.224.0 |
108.177.96.0 / 255.255.224.0 |
5.178
| 31.13.24.0 / 255.255.248.0 31.13.64.0 / 255.255.192.0 45.64.40.0 / 255.255.252.0 66.220.144.0 / 255.255.240.0 |
19527154176.0 / 255.255.240.0 69.171.224.0 / 255.255.224.0 |
8015019276.0 / 255.255.252.0 103.4.96.0 / 255.255.252.0 |
776797252212119270.0 / 255.255.0.0 173.252.64.0 / 255.255 |
.1282.16.219.192.0 179.60.192.0 / 255.255. |
24866171231216.0 / 255.255.252.0 204.15.20.0 / 255.255.252. |
128311324311364192.0212.245.45252.0 104.244.40.0 / 255.255.248.0 185.45.4.0 / 255.255.248.0 188.64.224.0 / 255.255.248.0 192.44.68.0 |
21317255463370255 199.16.156.0 / 255.255.252.0 |
199.59.148.0 / 255.255.252.0 |
199.69.58.0 / 255.255.254.0 199.96.56.0 / 255.255.248.0 |
19913376128.0 / 255.255.252.0 192.229.128.0 / 255.255.128.0 93.184.208.0 /255.255.240 |
Each IP host (subnet) has be defined in two ways (IN/OUT). Set of ACL is called preACL_permit.
Example of host rules "52.51.203.246 / 255.255.255.255":
Code Block |
---|
config acl rule add preACL_permit 1
config acl rule source port range preACL_permit 1 0 65535
config acl rule direction preACL_permit 1 in
config acl rule action preACL_permit 1 permit
config acl rule destination port range preACL_permit 1 0 65535
config acl rule destination address preACL_permit 1 52.51.203.246 255.255.255.255
config acl rule add preACL_permit 2
config acl rule source port range preACL_permit 2 0 65535
config acl rule source address preACL_permit 2 52.51.203.246 255.255.255.255
config acl rule direction preACL_permit 2 out
config acl rule action preACL_permit 2 permit
config acl rule destination port range preACL_permit 2 0 65535 |
In the end, you need to create and apply a set of ACL rules:
Code Block |
---|
config acl create preACL_permit
config acl apply preACL_permit |
Related pages