Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1735
Views
0
Helpful
3
Replies

EEM to update an object group

Nathan Mellendorf
Level 1
Level 1

‎05-04-2014 10:42 AM

Hello Cisco!

I've been playing around with EEMs on and off for a few months now, and I'm enjoying it quite a bit! A recent issue at work got me thinking, and I thought I'd try and solve the problem with a new EEM. It's really quite simple, but I'm having trouble getting it to work as intended.

 

Device Specs:

On a CISCO881-SEC-K9 running:

Embedded Event Manager Version 4.00
Component Versions:
eem: (rel6)1.0.0
eem-gold: (rel1)1.0.2
eem-call-home: (rel2)1.0.4 

 

Problem:

I'd like to create an EEM that checks the IP of a website a few times a day, and cross references the results with the IPs listed in an object group. If the new IP isn't listed, it will add it to the object group. If it is detected, it won't do anything. (I have this e-mailing either way right now, to assist me with debugging)

Reasoning:

I'd like to see if this is something I can do with an EEM. It would be nice to have something dynamically configured to make updates like this. At the end of the day, It mimics a feature on some firewalls. I'd like for this to get around the limitations of a static ACL entry. I haven't looked into TCL scripting, as It would be a new language that I'd have to learn. The beauty of EEM, is that it builds off of what a technician already knows. If you understand IOS, EEM is relatively easy to pickup and run with.

 

Side Note: If you see something in my script that could be consolidated, or just doesn't make much sense; please let me know. There is a really good chance that I don't know of the alternative method. This is especially true in terms of my regular expression knowledge. That's an ongoing battle :)

 

Thanks in advance everyone.

Your assistance and constructive criticism is more than welcome and is greatly appreciated.

 

Here is what I have right now:

event manager applet update_my_object_group
 event timer cron cron-entry "* * * * *" maxrun 9999999
 action 1.0 cli command "enable"
 action 1.1 cli command "ping www.google.com"
 action 1.2 wait 5
 action 1.3 regexp "to ([0-9.]+)," "$_cli_result" match new_ip
 action 1.4 cli command "show object-group self_building"
 action 1.5 regexp "([0-9.]+)" "$_cli_result" match current_ips
 action 2.0 if $new_ip ne "$current_ips"
 action 3.0  cli command "conf t"
 action 3.1  cli command "object-group network self_building"
 action 3.3  cli command "host $new_ip"
 action 3.4  cli command "end"
 action 3.5  cli command "show object-group self_building"
 action 3.6  regexp "([0-9.]+)" "$_cli_result" match new_current_ips
 action 4.1  mail server "$_email_server" to "$gmail" from "$_email_from" subject "EEM: Successfully Updated Object Group" body "Added new IP: $new_ip\n to Object Group: self_building\n $current_ips"
 action 5.0 else
 action 5.1  mail server "$_email_server" to "$gmail" from "$_email_from" subject "EEM: Object Group Failure" body "I couldn't update the object group: self_building. Debug:\n New IP: $new_ip\nCurrent: $current_ips\nWhat it is now: $new_current_ips"
 action 5.2 end

 

 

Here is an example I built up for a single ACL. Same concept, just a single line gets updated. I was using this as a reference for my object group script.

event manager applet update_my_acl
 event timer cron cron-entry "0 * * * *" maxrun 9999999
 action 1.0 cli command "enable"
 action 1.1 cli command "ping www.msn.com"
 action 1.2 wait 5
 action 1.3 regexp "to ([0-9.]+)," "$_cli_result" match new_ip
 action 1.4 cli command "show access-lists | sec test_acl"
 action 1.5 regexp "10 permit tcp any host ([0-9.]+) eq www" "$_cli_result" match current_ip
 action 2.0 if $new_ip ne "$current_ip"
 action 3.0  cli command "conf t"
 action 3.1  cli command "ip access-list extended test_acl"
 action 3.2  cli command "no 10"
 action 3.3  cli command "10 permit tcp any host www.msn.com eq www"
 action 3.4  cli command "end"
 action 4.0  cli command "show access-lists | sec test_acl"
 action 4.1  mail server "$_email_server" to "$_email_to" from "$_email_from" subject "EEM: Successfully Updated ACL" body "New IP: $new_ip\nOld IP: $current_ip"
 action 5.0 else
 action 5.1  mail server "$_email_server" to "$_email_to" from "$_email_from" subject "EEM: ACL NOT updated" body "New IP: $new_ip\nOld IP: $current_ip"
 action 5.2 end

 

 

Labels:
0 Helpful
3 Replies 3

Joe Clarke
Cisco Employee
Cisco Employee

‎05-05-2014 11:17 AM

The logic looks okay to me.  I would use a more reasonable maxrun just in case, though.

 

Are you having a specific problem with the applet?  If so, what isn't working?

0 Helpful

Nathan Mellendorf
Level 1
Level 1
In response to Joe Clarke

‎05-05-2014 06:50 PM

Thanks for the review!

Well, it's technically "working", but not in the way that it's designed. It checks the object group, but it only finds  the first IP listed. I'll provide you with the object group it's generated so far, and what I'm receiving in my e-mails.

(I don't think my regular expressions are working correctly.)

 

The Object Group:

object-group network self_building
 host 10.9.8.20
 host 74.125.225.114
 host 173.194.46.115
 host 74.125.225.148
 host 173.194.46.116
 host 173.194.46.112
 host 74.125.225.81
 host 74.125.225.83
 host 173.194.46.84
 host 74.125.225.17
 host 74.125.225.20
 host 173.194.46.80
 host 74.125.225.19
 host 173.194.46.83
 host 173.194.46.114
 host 74.125.225.116
 host 74.125.225.51
 host 74.125.225.52
 host 173.194.46.113
 host 74.125.225.145
 host 74.125.225.144
 host 74.125.225.49
 host 74.125.225.82
 host 74.125.225.146
 host 74.125.225.84
 host 74.125.225.112
 host 173.194.46.82
 host 173.194.46.81
 host 74.125.225.18

 

 

Here are the successful e-mails sent to me. As you'll see, I've had the EEM include the $current_ips in the e-mail. This should be all of the IPs in the group, but it's just the first one listed (found). So, because it doesn't match, it adds the newly found IP to the group. 

 

But, as you can see in my emails, that IP has been found before and added already. The desired behavior is it for it to see that the entry already exists, and not apply it.

 

Edit: Thought this would help:

Step 1: Ping www.google.com.

Step 2: Use regular expression to capture the IP found.

Step 3: Run a show command, and find all of the IPs currently listed inside the object group: self_building

Step 4: Cross reference the newly found IP, with the IPs found in the object group.

Step 5: If it's already there, then discard it and end the EEM.

Step 5 (a) If it's not there, then add it to the object group, and then end the EEM.

 

Thanks again!

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to Nathan Mellendorf

‎05-06-2014 10:37 AM

You need to iterate over the object-group output on a line-by-line basis looking for a match.  For example:

 

foreach line $_cli_result "\n"

 regexp "([\.0-9]+)" $line match current_ip

 if $current_ip eq $new_ip

  exit 0

 end

end

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card