Cisco IOS Embedded Event Manager (EEM)
在Cisco SP CCIE Lab中最近有人在討論出現了一個新的topic,那就是所謂的EEM,跟平常我們所熟知的RMON, SNMP Trap不太一樣,所以我特別在這邊把相關的資料列出,其實資料並不多,大部份都是在Cisco官網上。
Cisco IOS Embedded Event Manager (EEM)
http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.html
Cisco IOS Embedded Event Manager (EEM) is a powerful ally for device and system management. EEM enables customers to harness the network intelligence intrinsic to Cisco IOS and customize the behavior based on real network events as they happen.
EEM consists of Event Detectors, the Event Manager, and an Event Manager Policy Engine. The policy engine drives two types of policies that users can configure, Applet policies and Tcl policies. Customers can define policies to take specific actions when the Cisco IOS software recognizes certain events through the Event Detectors. The result is an extremely powerful and flexible set of tools to automate many network management tasks and direct the operation of Cisco IOS to increase availability, collect information, and notify external systems or personnel about critical events.
EEM represents a fundamental shift in network management and makes the router or switch running Cisco IOS an active participant rather than a passive slave to external network management systems. With EEM, events are seen from the device perspective and the actions happen without the need for external connectivity. And control remains in the customer's hands. You program the actions you want to take.
Cisco IOS Embedded Event Manager (EEM)
http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.html
Cisco IOS Embedded Event Manager (EEM) is a powerful ally for device and system management. EEM enables customers to harness the network intelligence intrinsic to Cisco IOS and customize the behavior based on real network events as they happen.
EEM consists of Event Detectors, the Event Manager, and an Event Manager Policy Engine. The policy engine drives two types of policies that users can configure, Applet policies and Tcl policies. Customers can define policies to take specific actions when the Cisco IOS software recognizes certain events through the Event Detectors. The result is an extremely powerful and flexible set of tools to automate many network management tasks and direct the operation of Cisco IOS to increase availability, collect information, and notify external systems or personnel about critical events.
EEM represents a fundamental shift in network management and makes the router or switch running Cisco IOS an active participant rather than a passive slave to external network management systems. With EEM, events are seen from the device perspective and the actions happen without the need for external connectivity. And control remains in the customer's hands. You program the actions you want to take.
Case Studies
The following case studies can help you understand how and where to use EEM efficiently.
Example 1: Command Execution with Logged Event
This example illustrates the use of EEM to execute show commands when a particular event occurs and collect the output and save it in some location that you can use for troubleshooting later. Figure 2 shows the topology.
Figure 2. Topology Diagram
Challenge
This example shows how to collect CPU usage and interface output when the Open Shortest Path First (OSPF) neighbor is down in router B.
Solution
EEM is configured to check for an OSPF-neighbor-down syslog message; if it occurs, it executes the following command and saves the output in flash memory:
• show cpu process
• show interfaces
The configuration follows:
RouterB#sh run
Building configuration...
Current configuration : 1137 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RouterB
ip cef
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 192.168.1.0 0.0.0.255 area 0
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
!
webvpn cef
!
event manager applet OSPF
event syslog pattern "Neighbor Down: Dead timer expired"
action 1.0 cli command "enable"
action 1.1 cli command "sh proc cpu | append flash:cpu_info"
action 1.2 cli command "show interface | append flash:interface_info"
action 1.6 syslog msg "OSPF NEIGHBOR DOWN"
!
end
RouterB#
The event logs for this example follow:
RouterB#
RouterB#sh flas
-#- --length-- -----date/time------ path
1 1902 Nov 12 2007 07:54:16 +00:00 test.tcl
3 50938004 Sep 10 2007 11:25:20 +00:00 c2800nm-advipservicesk9-mz.124-15.T1.bin
12931072 bytes available (50946048 bytes used)
RouterB#
RouterB#
RouterB#
RouterB#sh ip ospf nei
Neighbor ID Pri State Dead Time Address Interface
192.168.1.2 1 FULL/BDR 00:00:31 192.168.1.2 GigabitEthernet0/0
RouterB#sh flas
-#- --length-- -----date/time------ path
1 1902 Nov 12 2007 07:54:16 +00:00 test.tcl
3 50938004 Sep 10 2007 11:25:20 +00:00 c2800nm-advipservicesk9-mz.124-15.T1.bin
12931072 bytes available (50946048 bytes used)
RouterB#
*Nov 13 07:11:26.019: %OSPF-5-ADJCHG: Process 1, Nbr 192.168.1.2 on GigabitEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
*Nov 13 07:11:26.563: %HA_EM-6-LOG: OSPF: OSPF NEIGHBOR DOWN
RouterB#
RouterB#sh flas
-#- --length-- -----date/time------ path
1 1902 Nov 12 2007 07:54:16 +00:00 test.tcl
3 50938004 Sep 10 2007 11:25:20 +00:00 c2800nm-advipservicesk9-mz.124-15.T1.bin
4 22016 Nov 13 2007 07:11:26 +00:00 cpu_info
5 3532 Nov 13 2007 07:11:26 +00:00 interface_info
12902400 bytes available (50974720 bytes used)
RouterB#
Example 2: Secondary MLPPP Interface Enabled when Traffic Exceeds Threshold
The Cisco integrated services router as a customer edge router plays a significant part in WAN bandwidth management. This example can help you understand the use of EEM to enable the secondary interface into Multilink Point-to-Point Protocol (MLPPP) and increase the bandwidth when the traffic exceeds the threshold. Figure 3 shows the topology.
Figure 3. Topology Diagram
Challenge
The challenge is to bring line 2 into the MLPPP bundle only when the traffic flow exceeds the configured threshold. When the traffic falls below the threshold, line 2 is unconfigured from the MLPPP bundle.
Solution
EEM is configured to check the tx_load parameter every 30 seconds, and if the parameter exceeds the configured threshold, the line 2 serial interface is configured into the MLPPP bundle. If the tx_load parameter falls below the threshold, the second line is unconfigured.
The configuration follows:
ISR#sh run
Building configuration...
Current configuration : 1962 bytes
!
version 12.4
hostname ISR
card type t1 0 0
!
no aaa new-model
no network-clock-participate wic 0
!
ip cef
!
voice-card 0
no dspfarm
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 1 timeslots 1-24
!
controller T1 0/0/1
framing esf
linecode b8zs
channel-group 1 timeslots 1-24
!
interface Multilink1
ip address 10.1.1.2 255.255.255.0
ppp multilink
ppp multilink group 1
!
interface GigabitEthernet0/0
ip address 16.16.16.1 255.255.255.0
duplex full
speed 100
interface Serial0/0/0:1
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
!
interface Serial0/0/1:1
no ip address
encapsulation ppp
shutdown
ppp multilink
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
line aux 0
line vty 0 4
login
event manager environment errim_period 30 ##This environment variable specifies the frequency to check the tx_load##
event manager environment errim_int multilink1 ##This environment variable specifies the target interface##
event manager environment sec_interface Se0/0/1:1 ##This environment variable specifies the Second serial interface##
event manager directory user policy flash:/ ##This specifies the location of policy TCL file##
event manager policy TX_LOAD.tcl type user ##This command register the policy##
!
end
ISR#
The event logs follow:
ISR#sh interface multilink 1 | inc tx
reliability 255/255, txload 1/255, rxload 1/255
ISR#
ISR#sh ppp multilink | inc Se0/0/1:1
ISR#sh run int Se0/0/1:1
Building configuration...
Current configuration : 90 bytes
!
interface Serial0/0/1:1
no ip address
encapsulation ppp
shutdown
ppp multilink
end
ISR#
*Nov 15 04:35:30.386: %HA_EM-5-LOG: system:/lib/tcl/eem_scripts_registered/TX_LOAD.tcl: TX Load exceeds the threshold
*Nov 15 04:35:31.986: %HA_EM-6-LOG: system:/lib/tcl/eem_scripts_registered/TX_LOAD.tcl: SECOND SERIAL INTERFACE IS CONFIGURED
*Nov 15 04:35:32.030: %SYS-5-CONFIG_I: Configured from console by vty0
*Nov 15 04:35:33.210: %LINK-3-UPDOWN: Interface Serial0/0/1:1, changed state to up
*Nov 15 04:35:34.214: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1:1, changed state to up
ISR#sh interface multilink 1 | inc tx
reliability 247/255, txload 14/255, rxload 14/255
ISR#sh ppp multilink | inc Se0/0/1:1
Se0/0/1:1, since 00:00:29
ISR#sh run int se0/0/1:1
Building configuration...
Current configuration : 103 bytes
!
interface Serial0/0/1:1
no ip address
encapsulation ppp
ppp multilink
ppp multilink group 1
end
ISR#
ISR#
ISR#sh interface multilink 1 | inc tx
reliability 232/255, txload 7/255, rxload 7/255
ISR#
*Nov 15 04:38:30.414: %HA_EM-5-LOG: system:/lib/tcl/eem_scripts_registered/TX_LOAD.tcl: TX Load below the threshold. So Unconfiguring the secondary interface
*Nov 15 04:38:32.014: %HA_EM-6-LOG: system:/lib/tcl/eem_scripts_registered/TX_LOAD.tcl: SECOND SERIAL INTERFACE IS UNCONFIGURED
*Nov 15 04:38:32.058: %SYS-5-CONFIG_I: Configured from console by vty0
*Nov 15 04:38:32.614: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1:1, changed state to down
*Nov 15 04:38:33.618: %LINK-5-CHANGED: Interface Serial0/0/1:1, changed state to administratively down
ISR#sh ppp multilink | inc Se0/0/1:1
ISR#sh run int s0/0/1:1
Building configuration...
Current configuration : 90 bytes
!
interface Serial0/0/1:1
no ip address
encapsulation ppp
shutdown
ppp multilink
end
ISR#
Note: Whenever you change the TCL policy script, you need to re-register it by unconfiguring and configuring the event manager policy
Example 3: Clearing NAT Translation Table when Outgoing Interface Switches from Primary to Secondary, or Conversely
This example can help you understand how you can use EEM to clear the Network Address Translation (NAT) table when the primary link fails and the secondary link comes up, or conversely. Figure 4 shows the topology.
Figure 4. Topology Diagram
Challenge
In the topology of Figure 4, NAT is configured to translate the inside private IP address to public when it is destined to the Internet. DSL connectivity is the primary interface; if it goes down, the cellular interface will be up. When a failover occurs from the primary to the secondary interface, the NAT table will have entries for an outgoing interface that are no longer in the routing table, resulting in loss of packets.
Solution
EEM is configured to clear the NAT translation table when failover occurs.
Following is the configuration:
ip dhcp excluded-address 10.4.0.254
!
ip dhcp pool cdmapool
network 10.4.0.0 255.255.0.0
dns-server 66.209.10.201 66.102.163.231
default-router 10.4.0.254
chat-script cdma "" "atdt#777" TIMEOUT 30 "CONNECT"
track 234 rtr 1 reachability
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key abcd address 128.107.241.234
!
!
crypto ipsec transform-set abcd ah-sha-hmac esp-3des
!
crypto map cdma1 10 ipsec-isakmp
set peer 128.107.241.234
set transform-set abcd
match address 103
!
!
interface ATM0/0/0
no ip address
ip virtual-reassembly
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
backup interface Cellular0/3/0
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 0/35
pppoe-client dial-pool-number 2
!
!
interface Cellular0/3/0
bandwidth receive 1400000
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer in-band
dialer idle-timeout 0
dialer string cdma
dialer-group 1
async mode interactive
no ppp lcp fast-start
ppp chap password 0 cisco
ppp ipcp dns request
crypto map cdma1
!
interface Vlan104
description used as default gateway address for DHCP clients
ip address 10.4.0.254 255.255.0.0
ip nat inside
ip virtual-reassembly
!
interface Dialer2
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname cisco@dsl.com
ppp chap password 0 cisco
ppp ipcp dns request
crypto map cdma1
!
ip local policy route-map track-primary-if
ip route 0.0.0.0 0.0.0.0 Dialer2 track 234
ip route 0.0.0.0 0.0.0.0 Cellular0/3/0 254
!
!
ip nat inside source route-map nat2cell interface Cellular0/3/0 overload
ip nat inside source route-map nat2dsl interface Dialer2 overload
!
ip sla 1
icmp-echo 209.131.36.158 source-interface Dialer2
timeout 1000
frequency 2
ip sla schedule 1 life forever start-time now
access-list 1 permit any
access-list 2 permit 10.4.0.0 0.0.255.255
access-list 3 permit any
access-list 101 permit ip 10.4.0.0 0.0.255.255 any
access-list 102 permit icmp any host 209.131.36.158
access-list 103 permit ip host 166.138.186.119 128.107.0.0 0.0.255.255
access-list 103 permit ip host 75.40.113.246 128.107.0.0 0.0.255.255
dialer-list 1 protocol ip list 1
dialer-list 2 protocol ip permit
!
!
route-map track-primary-if permit 10
match ip address 102
set interface Dialer2
!
route-map nat2dsl permit 10
match ip address 101
match interface Dialer2
!
route-map nat2cell permit 10
match ip address 101
match interface Cellular0/3/0
!
line 0/3/0
exec-timeout 0 0
script dialer cdma
login
modem InOut
event manager applet Pri_back
event track 234 state any
action 2.0 cli command "clear ip nat trans forced"
Comments