Automation

Embedded Event Manager (EEM) – Event Detectors- Part III

Lets continue our discussion with the event detectors:

10. OIR

The online insertion and removal (OIR) event detector publishes an event when one of the following hardware insertion or removal events occurs:

  • A card is removed.
  • A card is inserted.

Route Processors (RPs), line cards, or feature cards can be monitored for OIR events. The builtins $_oir_slot and $_oir_event can be used to know which module is either inserted or removed.
Screen Shot 2018-04-02 at 8.14.28 PM

Once the module was shutdown, we can see EEM triggered saying “Module 11 is removed”. When I powered on the module again, “Module 11 is inserted”.

Screen Shot 2018-04-02 at 8.14.34 PM

11. Resource

The resource event detector publishes an event when the Embedded Resource Manager (ERM) reports an event for the specified policy.

The Embedded Resource Manager (ERM) feature allows you to monitor internal system resource utilization for specific resources such as the buffer, memory, and CPU.

ERM monitors resource utilization from the perspective of various subsystems within the Cisco IOS software such as resource owners (ROs) and resource users (RUs). ERM allows you to configure threshold values for system resources.

https://www.cisco.com/c/en/us/td/docs/ios/neverest_docs/stub_documents/nm_ermST.html

Below is the resource policy I have configured on the device to monitor Total CPU utilisation and have mentioned critical rising % to 2 and falling to 1% over an interval of 30s.

Screen Shot 2018-04-02 at 8.16.35 PM

Below EEM is configured to run when RESOURCE policy raises an event , which means it will run when CPU utilisation goes above 2%.
Screen Shot 2018-04-02 at 8.16.40 PM

Lets generate some traffic and see now the CPU has jumped to 17%. I did this by continuous pings to this router with size of 1500 and timeout 0.

Screen Shot 2018-04-02 at 8.16.50 PM

Once the CPU crossed the defined threshold of 2%, we can see ERM notified the device and EEM is triggered.

Screen Shot 2018-04-02 at 8.14.51 AM

12. RF: Redundancy Framework Event

  • The redundancy framework (RF) event detector publishes an event when one or more RF events occur during synchronization in a dual Route Processor (RP) system.
  • The RF event detector can also detect an event when a dual RP system continuously switches from one RP to another RP

event [ tag event-tag ] rf event rf-state-name [ maxrun maxruntime-number ]

I am going to use RF_PROG_STANDBY_BULK to demonstrate the event rf. Below is the EEM which will run when standby reached Bulk sync state.
Screen Shot 2018-04-02 at 8.20.51 PM

Rebooted the standby RP:

Screen Shot 2018-04-02 at 8.20.57 PM

See below EEM is triggered once the Bulk sync is succeeded.

Screen Shot 2018-04-02 at 8.21.03 PM

13. Routing

The routing event detector publishes an event when a route entry changes in the Routing Information Base (RIB).

We can monitor the range of prefixes, network, specific protocol, event type and VRF.
Screen Shot 2018-04-02 at 8.23.19 PM.png

Below are the builtins which can be used with event detector routing.
Screen Shot 2018-04-02 at 8.23.26 PM.png

Topology I am using here is as below and running OSPF on all the links.
Screen Shot 2018-04-02 at 8.25.26 PM.png

The loopback of R6 : 66.66.66.66/32 is being learned on R1 by R3 and R5. Below is the routing table entry and interface config on R1.
Screen Shot 2018-04-02 at 8.26.17 PM.png

Lets build an EEM which will run, when the route to R3’s loopback 33.33.33.33/32 is removed from the routing table via OSPF.  Once the EEM is triggered,  it will increase the metric on link between R1 and R3.
Screen Shot 2018-04-02 at 8.27.13 PM

Lets shut the loopback on R3:
Screen Shot 2018-04-02 at 8.27.21 PM

The EEM ran and increased the cost on interface G1, preferring the route to R6 via Gi2 interface. Check the usage of builtins in the syslog msg.

Screen Shot 2018-04-02 at 8.27.31 PM

14. RPC : Remote Procedure Call Event

  • Provides ability to invoke eem policies from outside the device using ssh
  • Used Simple Object Access Protocol (SOAP) data encoding for exchanging XML-based messages.
  • This event detector can be used to run EEM policies and then receive output in a SOAP XML-formatted reply.

The following example shows how to configure the applet called RPC_example:

event manager applet RPC_example
event rpc
action output puts “hello world”

15. SNMP Detectors

We have 3 detectors related to SNMP:

  • SNMP

The SNMP event detector allows a standard SNMP MIB object to be monitored and an event to be generated when the object matches specified values or crosses specified thresholds.

Event snmp  oid <> entry-op ge entry-val <> get-type exact poll-interval <>

 Lets use interface status to trigger the EEM. Below is the link for SNMP OID Browser.

http://snmp.cloudapps.cisco.com/Support/SNMP/do/BrowseOID.do?local=en

The SNMP OID for polling the interface status is 1.3.6.1.2.1.2.2.1.7.* where * denotes the ifindex of interface.

Screen Shot 2018-04-02 at 8.30.23 PM

Get theifindex with command “show snap mid ifmib if index”.
Screen Shot 2018-04-02 at 8.31.22 PM

Here the if index of Gi1 is 1 so the OID I am polling is 1.3.6.1.2.1.2.2.1.7.1. Few points to note while using SNMP as an event:

1. Get-type can be exact or next. Exact means poll the value of mentioned SNMP oid and          next means poll for the next OID.
2. Entry-val needs to be checked for that particular SNMP. Like here the value 2 means           “down”.

Below EEM will be triggered when interface Gi1 goes down.
Screen Shot 2018-04-02 at 8.33.28 PM
Lets shut the link and we can see the syslog msg on console.
Screen Shot 2018-04-02 at 8.34.32 PM.png

  • SNMP Notification:

The SNMP notification event detector provides the ability to intercept SNMP trap and inform messages coming into or going out of the device. An SNMP notification event is generated when an incoming or outgoing SNMP trap or inform message matches specified values or crosses specified thresholds. The SNMP event detector can wait and intercept the outgoing SNMP traps and informs.

Event snmp-notification dest-ip-add <> direction <> oid <> oid-val <>

  • SNMP Object

The Simple Network Management Protocol (SNMP) object trap event detector provides an extension to replace the value when an SNMP trap with the specified SNMP object ID (OID) is encountered on a specific interface or address.

 16. Syslog

The syslog event detector allows for screening syslog messages for a regular expression pattern match

We are matching any syslog patter which contains “OSPF-5-ADJCHG” in a message.
Screen Shot 2018-04-02 at 8.36.38 PM.png

Once the OSPF is flapped, EEM ran.
Screen Shot 2018-04-02 at 8.37.22 PM.png

17. Tag

Tag is an identifier for event and is used when correlating the events.

event manager applet EIGRP-FLAP authorization bypass
event tag EIGRP syslog pattern “%DUAL-5-NBRCHANGE.*.down.*”  maxrun 60
event tag TUNNEL syslog pattern “%LINEPROTO-5-UPDOWN.*.down”
trigger
correlate event EIGRP or event TUNNEL

18. Timer

The timer event detector publishes events for the following four different types of timers:

  • An absolute-time-of-day timer publishes an event when a specified absolute date and time occurs.
  • A countdown timer publishes an event when a timer counts down to zero.
  • A watchdog timer publishes an event when a timer counts down to zero and then the timer automatically resets itself to its initial value and starts to count down again.
  • A CRON timer publishes an event using a UNIX standard CRON specification to indicate when the event is to be published. A CRON timer never publishes events more than once per minute.

Absolute: The event occurs after the specified time in seconds.

The following example shows how to specify that an event is triggered one time after 5 hours:

Router(config)# event manager applet timer-absolute
Router(config-applet)# event timer absolute time 18000

Countdown: The event occurs once the countdown timer counts down to zero.

The following example shows how to specify that an event is triggered once after 6 minutes and 6 milliseconds:

Router(config)# event manager applet timer-set
Router(config-applet)# event timer countdown time 360.006 name six-minutes

Below is the EEM which will run once the countdown timer counts down from 60 to zero.
We can see that event ran exactly after a minute.

Screen Shot 2018-04-02 at 8.40.56 PM.png

Watchdog: The event occurs once the countdown timer counts down to zero and once EEM runs, timer resets.

Below example shows EEM being triggered every 20 seconds.
Screen Shot 2018-04-02 at 8.42.59 PM

CRON:

The cron syntax is “Minute Hour Day_of_Month Month Day_of_Week”

minute – this controls what minute of the hour the command will fire values between 0 and 59
hour – this controls what hour the command will run – specified in the 24 hour clock format 0-23 0=midnight
dom – day of month that you want the command to run e.g 20th = 20
Month – Month 1-12
dow – day of week it can be numeric 0-7 or name of day e.g sat

Below is the EEM which is configured to run on April 2 @12:30hrs.

The cron-entry here is “30 12 2 4 *” which means to run EEM at 30 minutes, 12 hour, Day 2, Month April (4) and any day of week.
Screen Shot 2018-04-02 at 8.45.06 PM.png

 

We can also use special strings like

    • Ranges : 8-11 means 8,9,10,11
    • Asterisk : * means any
    • List : (1,2,5,9 or 0-4,8-12)
    • Step value in conjunction with range : range/slip value
      • Eg: 0-23/2 means every second hour its triggered
    • Special :
      • @yearly – Once a year ( 0 0 1 1 *)
      • @annually – same as yearly
      • @monthly – once a month (0 0 1 * *)
      • @weekly – once a week (0 0 * * 0)
      • @daily – once a day (0 0 * * *)
      • @midnight : same as daily
      • @hourly – once per hour (0 * * * *)
    • Event timer cron cron-entry

Some of the examples of cron-entry:

 01 * * * * This command is run at one min past every hour
17 8 * * * This command is run daily at 8:17 am

Below is the sample EEM to run every minute:

Screen Shot 2018-04-02 at 8.46.40 PM.png

19. Track

The enhanced object tracking (EOT) event detector publishes an event when the status of a tracked object changes.

Lets configure a track for reachability to R6 loopback 66.66.66.66/32 with source 11.11.11.11/32.
Screen Shot 2018-04-02 at 8.47.46 PM

EEM will be triggered whenever the state of track changes either up or down.
Screen Shot 2018-04-02 at 8.49.11 PM.png

I bounced the loopback on R6 and EEM ran twice, once when track went down and second when track came up.
Screen Shot 2018-04-02 at 8.50.05 PM.png

We will discuss about the actions in next blog.

EEM Series:

  1. Embedded Event Manager (EEM) – Basic Overview- Part I
  2. Embedded Event Manager (EEM) – Event Detectors- Part II
  3. Embedded Event Manager (EEM) – Event Detectors- Part III
  4. Embedded Event Manager (EEM) – Event Actions- Part IV
Advertisements

Categories: Automation, EEM, General, IPv4

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s