Cisco Systems controllers ACL configuration

The solution uses WalledGarden type ACL/IP rules, based on fixed defined IP host addresses and large open subnets for external service usage. This solution is not fully valid with WalledGarden functionality based on domain names, it partly replaces it. Due to dynamic IP address-assigning to external services provided by WalledGarden (not static IP addresses), some information may become unavailable and may restrict functions. Therefore, it needs to regularly supervise list of ACL IP addresses and subnets and record all changes to it. 

Setting

ACL - preACL

To achieve proper functionalities, you need to define a preACL list of allowed IP addresses. Allowed IP addresses have to be reachable by the system without any authentication. Cisco does not support DNS Walled Garden so far. In the tab below there are defined a list of needed IP addresses and subnets for every service.

SOCIFISOCIFI's CDNGoogleFacebook/InstagramTwitterLinkedIn
54.246.88.74 / 255.255.255.255
52.51.203.246 / 255.255.255.255
54.204.47.201 / 255.255.255.255
52.44.151.156 / 255.255.255.255
54.232.124.137 / 255.255.255.255
54.232.88.133 / 255.255.255.255
54.251.110.178 / 255.255.255.255
13.32.0.0 / 255.254.0.0
13.35.0.0 / 255.255.0.0
13.54.63.128 / 255.255.255.192
13.59.250.0 / 255.255.255.192
13.224.0.0 / 255.252.0.0
34.195.252.0 / 255.255.255.0
35.162.63.192 / 255.255.255.192
52.15.127.128 / 255.255.255.192
52.46.0.0 / 255.255.192.0
52.52.191.128 / 255.255.255.192
52.57.254.0 / 255.255.255.0
52.66.194.128 / 255.255.255.192
52.78.247.128 / 255.255.255.192
52.84.0.0 / 255.254.0.0
52.199.127.192 / 255.255.255.192
52.212.248.0 / 255.255.255.192
52.220.191.0 / 255.255.255.192
52.222.128.0 / 255.255.128.0
54.182.0.0 / 255.255.0.0
54.192.0.0 / 255.255.0.0
54.230.0.0 / 255.255.0.0
54.233.255.128 / 255.255.255.192
54.239.128.0 / 255.255.192.0
54.239.192.0 / 255.255.224.0
54.240.128.0 / 255.255.192.0
70.132.0.0 / 255.255.192.0
71.152.0.0 / 255.255.128.0
99.84.0.0 / 255.255.0.0
143.204.0.0 / 255.255.0.0
204.246.164.0 / 255.255.252.0
204.246.168.0 / 255.255.252.0
204.246.174.0 / 255.255.254.0
204.246.176.0 / 255.255.240.0
205.251.192.0 / 255.255.224.0
205.251.249.0 / 255.255.255.0
205.251.250.0 / 255.255.254.0
205.251.252.0 / 255.255.254.0
205.251.254.0 / 255.255.255.0
216.137.32.0 / 255.255.224.0

216.239.32.0 / 255.255.224.0
64.233.160.0 / 255.255.224.0
66.249.64.0 / 255.255.224.0
72.14.192.0 / 255.255.192.0
209.85.128.0 / 255.255.128.0
66.102.0.0 / 255.255.240.0
74.125.0.0 / 255.255.0.0
64.18.0.0 / 255.255.240.0
207.126.144.0 / 255.255.240.0
173.194.0.0 / 255.255.0.0
216.58.192.0 / 255.255.224.0 108.177.8.0 / 255.255.248.0 172.217.0.0 / 255.255.224.0 108.177.96.0 / 255.255.224.0


31.13.24.0 / 255.255.248.0 31.13.64.0 / 255.255.192.0 45.64.40.0 / 255.255.252.0 66.220.144.0 / 255.255.240.0 69.63.176.0 / 255.255.240.0 69.171.224.0 / 255.255.224.0 74.119.76.0 / 255.255.252.0 103.4.96.0 / 255.255.252.0 129.134.0.0 / 255.255.0.0 157.240.0.0 / 255.255.0.0 173.252.64.0 / 255.255.192.0 179.60.192.0 / 255.255.252.0 185.60.216.0 / 255.255.252.0 204.15.20.0 / 255.255.252.069.12.56.0 / 255.255.248.0 103.252.112.0 / 255.255.252.0 104.244.40.0 / 255.255.248.0 185.45.4.0 / 255.255.248.0 188.64.224.0 / 255.255.248.0 192.44.68.0 / 255.255.254.0 192.48.236.0 / 255.255.254.0 192.133.76.0 / 255.255.252.0 199.16.156.0 / 255.255.252.0 199.59.148.0 / 255.255.252.0 199.69.58.0 / 255.255.254.0 199.96.56.0 / 255.255.248.0 202.160.128.0 / 255.255.252.0 192.229.128.0 / 255.255.128.0 93.184.208.0 /255.255.240.091.225.248.0 / 255.255.254.0
103.20.94.0 / 255.255.254.0
108.174.0.0 / 255.255.252.0
108.174.4.0 / 255.255.255.0
108.174.8.0 / 255.255.252.0
108.174.12.0 / 255.255.254.0
144.2.0.0 / 255.255.252.0
144.2.192.0 / 255.255.255.0
216.52.16.0 / 255.255.254.0
216.52.18.0 / 255.255.255.0
216.52.20.0 / 255.255.254.0
216.52.22.0 / 255.255.255.0
65.156.227.0 / 255.255.255.0
8.39.53.0 / 255.255.255.0
185.63.144.0 / 255.255.255.0
185.63.147.0 / 255.255.255.0
199.101.161.0 / 255.255.255.0
64.152.25.0 / 255.255.255.0
8.22.161.0 / 255.255.255.0

Each IP host (subnet) has be defined in two ways (IN/OUT). Set of ACL is called preACL_permit.

Example of host rules "52.51.203.246 / 255.255.255.255":

config acl rule add preACL_permit 1 
config acl rule source port range preACL_permit 1 0 65535 
config acl rule direction preACL_permit 1 in 
config acl rule action preACL_permit 1 permit 
config acl rule destination port range preACL_permit 1 0 65535 
config acl rule destination address preACL_permit 1 52.51.203.246 255.255.255.255 

config acl rule add preACL_permit 2 
config acl rule source port range preACL_permit 2 0 65535 
config acl rule source address preACL_permit 2 52.51.203.246 255.255.255.255 
config acl rule direction preACL_permit 2 out 
config acl rule action preACL_permit 2 permit 
config acl rule destination port range preACL_permit 2 0 65535 


In the end, you need to create and apply a set of ACL rules:

config acl create preACL_permit 
config acl apply preACL_permit 

Related pages