EEM script to check hits on acl

davemikolajczak · ‎04-23-2018

I need to monitor the hits on a deny entry on an acl.

If there is a hit, I need to generate an SNMP trap.

Is the logic to

set EEM cron to check at some period

use cli_command to show access-list acl_name

have the cli output enter a tcl string variable,

find the hit counter

then send a trap?

Joe Clarke · ‎04-26-2018

You don't need to use Tcl for this provided you have EEM 3.0 or higher (which these days is pretty much a given).

Your overall logic is pretty sound. You'll use a timer (you can use cron or watchdog for this). Run the show command to get the ACL hits. Parse the results with regexp to pull out the hit count. But then this is where things may need to be adjusted. You likely don't want a trap every time this runs when the hit count is non-zero. Meaning if you get one deny hit, then every time the policy runs you'll get a trap. You likely only want traps when the hit count increases.

In that case, you'll need to save the current hit count to a context with context-save. Then before you get the new hit count, add a call to context-retrieve to pull out the saved value. If the new value is greater than (gt) the old value, then send a trap.

EEM script to check hits on acl

Doc-Automatización Eficiente: EEM, Scripts en Python, TCL y GuestShell

ASR9000 EEM Script repository

DHCP relay agent check command

ACI App CLICommandCollector: 複数のノード上で script を動かす

EEM script to clear subscriber on ASR9k