Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
783
Views
5
Helpful
1
Replies

EEM script to check hits on acl

davemikolajczak
Level 1
Level 1

‎04-23-2018 02:11 PM - edited ‎03-01-2019 06:32 PM

I need to monitor the hits on a deny entry on an acl.

If there is a hit, I need to generate an SNMP trap.

 

Is the logic to 

set  EEM cron to check at some period

use cli_command to show access-list acl_name 

have the cli output enter a tcl string variable, 

find the hit counter

then send a trap?

 

Labels:
0 Helpful
1 Reply 1

Joe Clarke
Cisco Employee
Cisco Employee

‎04-26-2018 09:19 AM

You don't need to use Tcl for this provided you have EEM 3.0 or higher (which these days is pretty much a given).

 

Your overall logic is pretty sound.  You'll use a timer (you can use cron or watchdog for this).  Run the show command to get the ACL hits.  Parse the results with regexp to pull out the hit count.  But then this is where things may need to be adjusted.  You likely don't want a trap every time this runs when the hit count is non-zero.  Meaning if you get one deny hit, then every time the policy runs you'll get a trap.  You likely only want traps when the hit count increases.

 

In that case, you'll need to save the current hit count to a context with context-save.  Then before you get the new hit count, add a call to context-retrieve to pull out the saved value.  If the new value is greater than (gt) the old value, then send a trap.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents