cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1324
Views
0
Helpful
5
Replies
Highlighted
Beginner

EEM Script to compare IP against list of IPs in a file

Hello, i am trying to make an EEM script to extract IP address from ACL log then check this IP against a .txt file that has all whitelisted IPs and if no match is found an ACL term is added to block this IP.

I am able to make the script that extracts IP from ACL log but don't know how to make the comparison.

 


event manager applet prefix
event syslog pattern ".*%SEC-6-IPACCESSLOGNP:.*"
action 1.0 cli command "enable"
action 2.0 cli command "show ip interface brief"
action 3.0 regexp "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" "$_syslog_msg" ADDR
action 4.0 syslog msg "$ADDR"

 

Thanks in advance.

 

Ahmed

5 REPLIES 5
Highlighted
VIP Expert

You can do a combination of EEM and TCL for your requirement if the IP list stored in flash ( where is the IPS file stored ?)

 



BB


*** Rate All Helpful Responses ***

Highlighted

Hello Blaaji,

 

It should be stored on router's flash.

Highlighted
Cisco Employee

What is the purpose of doing this work?   If you have a whitelist of IP addresses then add them to the ACL, and there is a "deny any" at the end of the ACL.   Why do you need to specifically add deny entries if there is an implicit "deny any"at the end of the ACL?

Highlighted

Hello Daniel,

 

Because these are more than 5000 IPs and router is Cisco 800 so performance degrades when added an ACL with all of these terms, hence i need to add a deny term when non-whitelist IP tries to connect.

 

 

Highlighted

Either case if you keep adding ACL using script, you end with the same performance results here.

 

Still not able to get your requirement as suggested 5000 IP's from where ?

 



BB


*** Rate All Helpful Responses ***

Content for Community-Ad