I've been playing around with EEMs on and off for a few months now, and I'm enjoying it quite a bit! A recent issue at work got me thinking, and I thought I'd try and solve the problem with a new EEM. It's really quite simple, but I'm having trouble getting it to work as intended.
I'd like to create an EEM that checks the IP of a website a few times a day, and cross references the results with the IPs listed in an object group. If the new IP isn't listed, it will add it to the object group. If it is detected, it won't do anything. (I have this e-mailing either way right now, to assist me with debugging)
I'd like to see if this is something I can do with an EEM. It would be nice to have something dynamically configured to make updates like this. At the end of the day, It mimics a feature on some firewalls. I'd like for this to get around the limitations of a static ACL entry. I haven't looked into TCL scripting, as It would be a new language that I'd have to learn. The beauty of EEM, is that it builds off of what a technician already knows. If you understand IOS, EEM is relatively easy to pickup and run with.
Side Note: If you see something in my script that could be consolidated, or just doesn't make much sense; please let me know. There is a really good chance that I don't know of the alternative method. This is especially true in terms of my regular expression knowledge. That's an ongoing battle :)
Thanks in advance everyone.
Your assistance and constructive criticism is more than welcome and is greatly appreciated.
Here is what I have right now:
event manager applet update_my_object_group event timer cron cron-entry "* * * * *" maxrun 9999999 action 1.0 cli command "enable" action 1.1 cli command "ping www.google.com" action 1.2 wait 5 action 1.3 regexp "to ([0-9.]+)," "$_cli_result" match new_ip action 1.4 cli command "show object-group self_building" action 1.5 regexp "([0-9.]+)" "$_cli_result" match current_ips action 2.0 if $new_ip ne "$current_ips" action 3.0 cli command "conf t" action 3.1 cli command "object-group network self_building" action 3.3 cli command "host $new_ip" action 3.4 cli command "end" action 3.5 cli command "show object-group self_building" action 3.6 regexp "([0-9.]+)" "$_cli_result" match new_current_ips action 4.1 mail server "$_email_server" to "$gmail" from "$_email_from" subject "EEM: Successfully Updated Object Group" body "Added new IP: $new_ip\n to Object Group: self_building\n $current_ips" action 5.0 else action 5.1 mail server "$_email_server" to "$gmail" from "$_email_from" subject "EEM: Object Group Failure" body "I couldn't update the object group: self_building. Debug:\n New IP: $new_ip\nCurrent: $current_ips\nWhat it is now: $new_current_ips" action 5.2 end
Here is an example I built up for a single ACL. Same concept, just a single line gets updated. I was using this as a reference for my object group script.
event manager applet update_my_acl event timer cron cron-entry "0 * * * *" maxrun 9999999 action 1.0 cli command "enable" action 1.1 cli command "ping www.msn.com" action 1.2 wait 5 action 1.3 regexp "to ([0-9.]+)," "$_cli_result" match new_ip action 1.4 cli command "show access-lists | sec test_acl" action 1.5 regexp "10 permit tcp any host ([0-9.]+) eq www" "$_cli_result" match current_ip action 2.0 if $new_ip ne "$current_ip" action 3.0 cli command "conf t" action 3.1 cli command "ip access-list extended test_acl" action 3.2 cli command "no 10" action 3.3 cli command "10 permit tcp any host www.msn.com eq www" action 3.4 cli command "end" action 4.0 cli command "show access-lists | sec test_acl" action 4.1 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "EEM: Successfully Updated ACL" body "New IP: $new_ip\nOld IP: $current_ip" action 5.0 else action 5.1 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "EEM: ACL NOT updated" body "New IP: $new_ip\nOld IP: $current_ip" action 5.2 end
Well, it's technically "working", but not in the way that it's designed. It checks the object group, but it only finds the first IP listed. I'll provide you with the object group it's generated so far, and what I'm receiving in my e-mails.
(I don't think my regular expressions are working correctly.)
Here are the successful e-mails sent to me. As you'll see, I've had the EEM include the $current_ips in the e-mail. This should be all of the IPs in the group, but it's just the first one listed (found). So, because it doesn't match, it adds the newly found IP to the group.
But, as you can see in my emails, that IP has been found before and added already. The desired behavior is it for it to see that the entry already exists, and not apply it.
Edit: Thought this would help:
Step 1: Ping www.google.com.
Step 2: Use regular expression to capture the IP found.
Step 3: Run a show command, and find all of the IPs currently listed inside the object group: self_building
Step 4: Cross reference the newly found IP, with the IPs found in the object group.
Step 5: If it's already there, then discard it and end the EEM.
Step 5 (a) If it's not there, then add it to the object group, and then end the EEM.
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts The ProblemOn traditional
switches whenever we have a trunk interface we use the VLAN tag to
demultiplex the VLANs. The switch needs to determine which MAC ...
The ProblemEnter EVCsHow It Works (Ingress)How It Works
(Egress)Step-by-Step ExampleFinal Thoughts Introduction: Netdr is a tool
available on a RSP720, Sup720 or Sup32 that allows one to capture
packets on the RP or SP inband. The netdr command can be use...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...