Use the variable for the IP address of IOS router

Unanswered Question
May 26th, 2009
User Badges:

Hi gurus!

I would appreciate if anyone can give me an advice for configuring the variable for the IP address of a particular router interface. All this is about

the router being a DHCP client which receives a new IP address every

now and then and using something like "$ETH0/0_IPADDR" instead of "ANY" in the access-list. As you know there's a way to use a variable with banner or hostname. Is there any way to do with the IP address?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
yjdabear Tue, 05/26/2009 - 16:44
User Badges:
  • Gold, 750 points or more

Assuming you don't want to settle for a limited "variable" through an ACL wildcard mask based on knowing the IP addr range assigned by DHCP, I think the EEM applet or script discussed in the following thread can conceivably be adapted to dynamically reconfigure the ACL accordingly:

I'm not sure what can serve as the trigger for EEM though, unless there's SNMP or syslog message generated when the int ip addr changes.

Joe Clarke Tue, 05/26/2009 - 19:16
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

I actually did an EEM policy for this exact problem. What version of IOS are you using?

zheka_pefti Tue, 05/26/2009 - 22:11
User Badges:

about 80 routers run IOS 12.4(22T) and EEM is something new for me. Thanks a lot for refering to it. I will have to spend some time to get to know it.

Joe Clarke Tue, 05/26/2009 - 22:39
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Given that you have EEM 3.0, you could use the following programmatic applet:

event manager applet update-acl

event tag none

event tag syslog pattern "LINEPROTO-5-UPDOWN:.*Interface FastEthernet0/0.*changed state to up"

event tag timer timer watchdog time 86400

trigger occurs 1 delay 3

correlate event syslog or event none or event timer

action 010 cli command "enable"

action 020 cli command "show ip int brief | include FastEthernet0/0"

action 030 regexp "^FastEthernet0/0\s+([0-9\.]+)" "$_cli_result" ignore ipaddr

action 040 cli command "config t"

action 050 cli command "no access-list 113"

action 060 cli command "access-list 113 permit ip any host $ipaddr"

action 070 cli command "end"

action 080 syslog msg "New IP address is $ipaddr"

Here, you'll want to replace FastEthernet0/0 with your interface name. This policy will run every 24 hours, every time the device reloads, or every time you run the command "event manager run update-acl". You can, of course, adjust any of the tags and trigger correlation.


This Discussion