cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
894
Views
0
Helpful
4
Replies

ACL triggered event?

carrollha
Level 1
Level 1

Hi all,

I'm trying to enforce a triggered EEM applet with an ACL rule. Is this even possible? I've been searching for weeks, but the closest thing I can find is using an SNMP evenst, which isn't what I'm looking for. I've looked at the list of event triggers (and I've used resource events before), but I can't find anything that works.

Would an "Application Specific Event Detector" work for this?

Thanks for any ideas!

-Heath

P.S. I'm specifically trying to switch packet capture on/off (with a script or EEM applet) on some 2900 series routers. I have 2960s and 2911s if it helps clarity.

4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

Hi,

to automate packet-capture: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps10777/ppt_EASy_Packet_Capture_c78-577851.pdf

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks for the response, but I think I should have been more clear. I can already turn packet-capture on and off with my applet. The problem I'm having is triggering the applet itself, when it sees a specific IP address (or something similar).

I'm leaning towards SNMP traps at this point, but I'm still having problems with them actually being detected by the router. Normal SNMP traps are working, but my custom ones seem to be ignored.

What I initially _wanted_ was to have a router detect a ping from a specific IP address (maybe with a specific qos flag for added functionality). I was hoping I could trigger an applet with a ACL rule that dropped the ping, but there isn't an event for that.I then wanted the applet to tell _a different router_ to start packet-capture.

Why, you ask? Research. Because 'crazy ideas' and research apparently go hand-in-hand...

Hello Heath,

You will get probably better help in EEM section. But I will try...

ip access-list extended EEM_ACL

  permit tcp host 10.0.0.2 host 10.0.0.1 eq 22 log EEM_SCRIPT_TRIGGER

event manager applet YOUR_SCRIPT

event syslog pattern "(tag = EEM_SCRIPT_TRIGGER)"

event.....your EEM script -> packet capture

%SEC-6-IPACCESSLOGP: list EEM_ACL denied tcp 10.0.0.2(54843) -> 
10.0.0.1(22), 1 packet  [EEM_SCRIPT_TRIGGER]

When packet will be matched against EEM_ACL, log will be generated. EEM script will be executed when log with string EEM_SCRIPT_TRIGGER will be generated.

http://packetlife.net/blog/2009/jun/1/access-list-syslog-correlation/

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Hey! That looks useful... I'll try to look at it when I can. I solved it myself by using an SNMP event. It works basically the same way as your solution except the message field on the SNMP packet is what I parse to look for the trigger message. If/when I can get to it I will give you credit.

Thanks,

-Heath

Review Cisco Networking for a $25 gift card