Re: EEM Script to compare IP against list of IPs in a file

ahmedfakkar · ‎02-14-2020

Hello, i am trying to make an EEM script to extract IP address from ACL log then check this IP against a .txt file that has all whitelisted IPs and if no match is found an ACL term is added to block this IP.

I am able to make the script that extracts IP from ACL log but don't know how to make the comparison.

event manager applet prefix
event syslog pattern ".*%SEC-6-IPACCESSLOGNP:.*"
action 1.0 cli command "enable"
action 2.0 cli command "show ip interface brief"
action 3.0 regexp "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" "$_syslog_msg" ADDR
action 4.0 syslog msg "$ADDR"

Thanks in advance.

Ahmed

balaji.bandi · ‎02-14-2020

You can do a combination of EEM and TCL for your requirement if the IP list stored in flash ( where is the IPS file stored ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ahmedfakkar · ‎02-15-2020

Hello Blaaji,

It should be stored on router's flash.

Dan Frey · ‎02-15-2020

What is the purpose of doing this work? If you have a whitelist of IP addresses then add them to the ACL, and there is a "deny any" at the end of the ACL. Why do you need to specifically add deny entries if there is an implicit "deny any"at the end of the ACL?

ahmedfakkar · ‎02-15-2020

Hello Daniel,

Because these are more than 5000 IPs and router is Cisco 800 so performance degrades when added an ACL with all of these terms, hence i need to add a deny term when non-whitelist IP tries to connect.

balaji.bandi · ‎02-15-2020

Either case if you keep adding ACL using script, you end with the same performance results here.

Still not able to get your requirement as suggested 5000 IP's from where ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help