Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
892
Views
0
Helpful
4
Replies

ACL triggered event?

carrollha
Level 1
Level 1

‎04-05-2013 12:35 PM - edited ‎03-07-2019 12:40 PM

Hi all,

I'm trying to enforce a triggered EEM applet with an ACL rule. Is this even possible? I've been searching for weeks, but the closest thing I can find is using an SNMP evenst, which isn't what I'm looking for. I've looked at the list of event triggers (and I've used resource events before), but I can't find anything that works.

Would an "Application Specific Event Detector" work for this?

Thanks for any ideas!

-Heath

P.S. I'm specifically trying to switch packet capture on/off (with a script or EEM applet) on some 2900 series routers. I have 2960s and 2911s if it helps clarity.

Labels:
0 Helpful
4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

‎04-06-2013 06:56 AM

Hi,

to automate packet-capture: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps10777/ppt_EASy_Packet_Capture_c78-577851.pdf

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

carrollha
Level 1
Level 1
In response to cadet alain

‎04-12-2013 09:51 AM

Thanks for the response, but I think I should have been more clear. I can already turn packet-capture on and off with my applet. The problem I'm having is triggering the applet itself, when it sees a specific IP address (or something similar).

I'm leaning towards SNMP traps at this point, but I'm still having problems with them actually being detected by the router. Normal SNMP traps are working, but my custom ones seem to be ignored.

What I initially _wanted_ was to have a router detect a ping from a specific IP address (maybe with a specific qos flag for added functionality). I was hoping I could trigger an applet with a ACL rule that dropped the ping, but there isn't an event for that.I then wanted the applet to tell _a different router_ to start packet-capture.

Why, you ask? Research. Because 'crazy ideas' and research apparently go hand-in-hand...

0 Helpful

blau grana
Level 7
Level 7
In response to carrollha

‎04-12-2013 11:31 AM

Hello Heath,

You will get probably better help in EEM section. But I will try...

ip access-list extended EEM_ACL

  permit tcp host 10.0.0.2 host 10.0.0.1 eq 22 log EEM_SCRIPT_TRIGGER

event manager applet YOUR_SCRIPT

event syslog pattern "(tag = EEM_SCRIPT_TRIGGER)"

event.....your EEM script -> packet capture

%SEC-6-IPACCESSLOGP: list EEM_ACL denied tcp 10.0.0.2(54843) -> 
10.0.0.1(22), 1 packet  [EEM_SCRIPT_TRIGGER]

When packet will be matched against EEM_ACL, log will be generated. EEM script will be executed when log with string EEM_SCRIPT_TRIGGER will be generated.

http://packetlife.net/blog/2009/jun/1/access-list-syslog-correlation/

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
0 Helpful

carrollha
Level 1
Level 1
In response to blau grana

‎06-28-2013 09:45 AM

Hey! That looks useful... I'll try to look at it when I can. I solved it myself by using an SNMP event. It works basically the same way as your solution except the message field on the SNMP packet is what I parse to look for the trigger message. If/when I can get to it I will give you credit.

Thanks,

-Heath

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card