02-14-2020 06:34 PM
Hello, i am trying to make an EEM script to extract IP address from ACL log then check this IP against a .txt file that has all whitelisted IPs and if no match is found an ACL term is added to block this IP.
I am able to make the script that extracts IP from ACL log but don't know how to make the comparison.
event manager applet prefix
event syslog pattern ".*%SEC-6-IPACCESSLOGNP:.*"
action 1.0 cli command "enable"
action 2.0 cli command "show ip interface brief"
action 3.0 regexp "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" "$_syslog_msg" ADDR
action 4.0 syslog msg "$ADDR"
Thanks in advance.
Ahmed
02-14-2020 09:55 PM
You can do a combination of EEM and TCL for your requirement if the IP list stored in flash ( where is the IPS file stored ?)
02-15-2020 03:00 AM
Hello Blaaji,
It should be stored on router's flash.
02-15-2020 06:57 AM - edited 02-15-2020 07:03 AM
What is the purpose of doing this work? If you have a whitelist of IP addresses then add them to the ACL, and there is a "deny any" at the end of the ACL. Why do you need to specifically add deny entries if there is an implicit "deny any"at the end of the ACL?
02-15-2020 07:17 AM
Hello Daniel,
Because these are more than 5000 IPs and router is Cisco 800 so performance degrades when added an ACL with all of these terms, hence i need to add a deny term when non-whitelist IP tries to connect.
02-15-2020 12:29 PM
Either case if you keep adding ACL using script, you end with the same performance results here.
Still not able to get your requirement as suggested 5000 IP's from where ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide