Lets continue our discussion with the event detectors:
The online insertion and removal (OIR) event detector publishes an event when one of the following hardware insertion or removal events occurs:
- A card is removed.
- A card is inserted.
Route Processors (RPs), line cards, or feature cards can be monitored for OIR events. The builtins $_oir_slot and $_oir_event can be used to know which module is either inserted or removed.
Once the module was shutdown, we can see EEM triggered saying “Module 11 is removed”. When I powered on the module again, “Module 11 is inserted”.
The resource event detector publishes an event when the Embedded Resource Manager (ERM) reports an event for the specified policy.
The Embedded Resource Manager (ERM) feature allows you to monitor internal system resource utilization for specific resources such as the buffer, memory, and CPU.
ERM monitors resource utilization from the perspective of various subsystems within the Cisco IOS software such as resource owners (ROs) and resource users (RUs). ERM allows you to configure threshold values for system resources.
Below is the resource policy I have configured on the device to monitor Total CPU utilisation and have mentioned critical rising % to 2 and falling to 1% over an interval of 30s.
Below EEM is configured to run when RESOURCE policy raises an event , which means it will run when CPU utilisation goes above 2%.
Lets generate some traffic and see now the CPU has jumped to 17%. I did this by continuous pings to this router with size of 1500 and timeout 0.
Once the CPU crossed the defined threshold of 2%, we can see ERM notified the device and EEM is triggered.
12. RF: Redundancy Framework Event
- The redundancy framework (RF) event detector publishes an event when one or more RF events occur during synchronization in a dual Route Processor (RP) system.
- The RF event detector can also detect an event when a dual RP system continuously switches from one RP to another RP
event [ tag event-tag ] rf event rf-state-name [ maxrun maxruntime-number ]
I am going to use RF_PROG_STANDBY_BULK to demonstrate the event rf. Below is the EEM which will run when standby reached Bulk sync state.
Rebooted the standby RP:
See below EEM is triggered once the Bulk sync is succeeded.
The routing event detector publishes an event when a route entry changes in the Routing Information Base (RIB).
We can monitor the range of prefixes, network, specific protocol, event type and VRF.
Below are the builtins which can be used with event detector routing.
Topology I am using here is as below and running OSPF on all the links.
The loopback of R6 : 188.8.131.52/32 is being learned on R1 by R3 and R5. Below is the routing table entry and interface config on R1.
Lets build an EEM which will run, when the route to R3’s loopback 184.108.40.206/32 is removed from the routing table via OSPF. Once the EEM is triggered, it will increase the metric on link between R1 and R3.
Lets shut the loopback on R3:
The EEM ran and increased the cost on interface G1, preferring the route to R6 via Gi2 interface. Check the usage of builtins in the syslog msg.
14. RPC : Remote Procedure Call Event
- Provides ability to invoke eem policies from outside the device using ssh
- Used Simple Object Access Protocol (SOAP) data encoding for exchanging XML-based messages.
- This event detector can be used to run EEM policies and then receive output in a SOAP XML-formatted reply.
The following example shows how to configure the applet called RPC_example:
event manager applet RPC_example
action output puts “hello world”
15. SNMP Detectors
We have 3 detectors related to SNMP:
The SNMP event detector allows a standard SNMP MIB object to be monitored and an event to be generated when the object matches specified values or crosses specified thresholds.
Event snmp oid <> entry-op ge entry-val <> get-type exact poll-interval <>
Lets use interface status to trigger the EEM. Below is the link for SNMP OID Browser.
The SNMP OID for polling the interface status is 220.127.116.11.18.104.22.168.1.7.* where * denotes the ifindex of interface.
Get theifindex with command “show snap mid ifmib if index”.
Here the if index of Gi1 is 1 so the OID I am polling is 22.214.171.124.126.96.36.199.1.7.1. Few points to note while using SNMP as an event:
1. Get-type can be exact or next. Exact means poll the value of mentioned SNMP oid and next means poll for the next OID.
2. Entry-val needs to be checked for that particular SNMP. Like here the value 2 means “down”.
Below EEM will be triggered when interface Gi1 goes down.
Lets shut the link and we can see the syslog msg on console.
- SNMP Notification:
The SNMP notification event detector provides the ability to intercept SNMP trap and inform messages coming into or going out of the device. An SNMP notification event is generated when an incoming or outgoing SNMP trap or inform message matches specified values or crosses specified thresholds. The SNMP event detector can wait and intercept the outgoing SNMP traps and informs.
Event snmp-notification dest-ip-add <> direction <> oid <> oid-val <>
- SNMP Object
The Simple Network Management Protocol (SNMP) object trap event detector provides an extension to replace the value when an SNMP trap with the specified SNMP object ID (OID) is encountered on a specific interface or address.
The syslog event detector allows for screening syslog messages for a regular expression pattern match
We are matching any syslog patter which contains “OSPF-5-ADJCHG” in a message.
Once the OSPF is flapped, EEM ran.
Tag is an identifier for event and is used when correlating the events.
event manager applet EIGRP-FLAP authorization bypass
event tag EIGRP syslog pattern “%DUAL-5-NBRCHANGE.*.down.*” maxrun 60
event tag TUNNEL syslog pattern “%LINEPROTO-5-UPDOWN.*.down”
correlate event EIGRP or event TUNNEL
The timer event detector publishes events for the following four different types of timers:
- An absolute-time-of-day timer publishes an event when a specified absolute date and time occurs.
- A countdown timer publishes an event when a timer counts down to zero.
- A watchdog timer publishes an event when a timer counts down to zero and then the timer automatically resets itself to its initial value and starts to count down again.
- A CRON timer publishes an event using a UNIX standard CRON specification to indicate when the event is to be published. A CRON timer never publishes events more than once per minute.
Absolute: The event occurs after the specified time in seconds.
The following example shows how to specify that an event is triggered one time after 5 hours:
Router(config)# event manager applet timer-absolute
Router(config-applet)# event timer absolute time 18000
Countdown: The event occurs once the countdown timer counts down to zero.
The following example shows how to specify that an event is triggered once after 6 minutes and 6 milliseconds:
Router(config)# event manager applet timer-set
Router(config-applet)# event timer countdown time 360.006 name six-minutes
Below is the EEM which will run once the countdown timer counts down from 60 to zero.
We can see that event ran exactly after a minute.
Watchdog: The event occurs once the countdown timer counts down to zero and once EEM runs, timer resets.
Below example shows EEM being triggered every 20 seconds.
The cron syntax is “Minute Hour Day_of_Month Month Day_of_Week”
minute – this controls what minute of the hour the command will fire values between 0 and 59
hour – this controls what hour the command will run – specified in the 24 hour clock format 0-23 0=midnight
dom – day of month that you want the command to run e.g 20th = 20
Month – Month 1-12
dow – day of week it can be numeric 0-7 or name of day e.g sat
Below is the EEM which is configured to run on April 2 @12:30hrs.
The cron-entry here is “30 12 2 4 *” which means to run EEM at 30 minutes, 12 hour, Day 2, Month April (4) and any day of week.
We can also use special strings like
- Ranges : 8-11 means 8,9,10,11
- Asterisk : * means any
- List : (1,2,5,9 or 0-4,8-12)
- Step value in conjunction with range : range/slip value
- Eg: 0-23/2 means every second hour its triggered
- Special :
- @yearly – Once a year ( 0 0 1 1 *)
- @annually – same as yearly
- @monthly – once a month (0 0 1 * *)
- @weekly – once a week (0 0 * * 0)
- @daily – once a day (0 0 * * *)
- @midnight : same as daily
- @hourly – once per hour (0 * * * *)
- Event timer cron cron-entry
Some of the examples of cron-entry:
01 * * * * This command is run at one min past every hour
17 8 * * * This command is run daily at 8:17 am
Below is the sample EEM to run every minute:
The enhanced object tracking (EOT) event detector publishes an event when the status of a tracked object changes.
Lets configure a track for reachability to R6 loopback 188.8.131.52/32 with source 184.108.40.206/32.
EEM will be triggered whenever the state of track changes either up or down.
I bounced the loopback on R6 and EEM ran twice, once when track went down and second when track came up.
We will discuss about the actions in next blog.
- Embedded Event Manager (EEM) – Basic Overview- Part I
- Embedded Event Manager (EEM) – Event Detectors- Part II
- Embedded Event Manager (EEM) – Event Detectors- Part III
- Embedded Event Manager (EEM) – Event Actions- Part IV