You are on page 1of 29

Lab Guide

Advanced Network Automation Solutions using Cisco IOS EEM


Arie Vayner,

LABNMS-2001 © 2013 Cisco Systems, Inc. All rights reserved

Advanced Network Automation Solutions using Cisco IOS EEM LABNMS-2001
Advanced Network Automation Solutions using Cisco IOS EEM .............................. 2 LABNMS-2001 ...................................................................................................... 2 Session Abstract ................................................................................................... 2 Introduction to EEM ............................................................................................... 3 EEM References ................................................................................................... 3 EEM Debugging Commands ................................................................................. 4 Lab Structure ......................................................................................................... 5 Task 1 – Block a CLI Command ............................................................................ 6 Task 2 – Control CLI Command Execution Rate ................................................... 8 Task 3 – Scheduling Events .................................................................................. 9 Task 4 – Manually Triggered EEM Scripts ........................................................... 10 Task 5 – Monitor Interface Parameters ................................................................ 11 Task 6 – Switch between Primary and Backup Paths .......................................... 14 Task 7 – Consolidated Custom Status Command ............................................... 19 Task 8 – Secure Automatic Provisioning ............................................................. 22 Appendix I ............................................................................................................... 28

Session Abstract
In this session we will review advanced automation and manageability solutions based on Cisco IOS Embedded Event Manager (EEM) functionality. The session will allow delegates to gain hands-on experience of the implementation of advanced solutions including high availability, network performance optimization, network monitoring and efficient automation. The session would provide a relevant tool set for enhancing network operations within networks built on Cisco IOS based routers and switches.

LABNMS-2001 © 2013 Cisco Systems, Inc. All rights reserved

All rights reserved .com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_policy_ cli. including automated w_ps10591_TSD_Products_Configuration_Guide_Chapter.html Writing Embedded Event Manager Policies Using Cisco IOS CLI Configuration Guide http://www.Introduction to EEM Cisco IOS Embedded Event Manager (EEM) is a powerful and flexible subsystem that provides real-time network event detection and onboard automation. Figure 1 Syslog OIR GOLD IP SLA SNMP None SNMP Proxy SNMP Object Event Detectors Watchdog ERM XML RPC Neighbor Discovery Counter EOT Routing Identity CLI RF Netflow MAC IOS Embedded Event Manager supports more than 20 event detectors that are highly integrated with different Cisco IOS Software components to trigger actions in response to network events. EEM References Embedded Event Manager Overview http://www. Figure 2 EEM Architecture EEM Server Subsystem EEM Event Detector EEM Policies Your business logic can be injected into network operations using IOS Embedded Event Manager policies. It is available on a wide range of Cisco platforms. These policies are programmed using either simple command-line interface (CLI) or using a scripting language called Tool Command Language (Tcl). Inc. Your business can benefit from the capabilities of IOS Embedded Event Manager without upgrading to a new version of Cisco IOS fault detection. IOS Embedded Event Manager helps enable creative solutions. and device configuration.html LABNMS-2001 © 2013 Cisco Systems. It gives you the ability to adapt the behaviour of your network devices to align with your business needs. Harnessing the significant intelligence within Cisco

com/en/US/docs/ios/netmgmt/command/reference/ Relevant Command Reference Guides http://www. All rights reserved . http://www.html http://www.Embedded Event Manager (EEM) Scripting Community (Cisco Beyond) EEM Debugging Commands The following commands can be used to debug and display the operations of the different scripts used in this lab:  debug event manager action cli  debug event manager detector <event detector type>  show event manager detector <event detector type> detailed  show event manager policy registered  show track <id> LABNMS-2001 © 2013 Cisco Systems.html

It is recommended to try and configure the different examples in the lab. Inc. Each task would present a problem that may solve some operational challenge.Lab Structure The different tasks in this lab provide introduction to different elements of Embedded Event Manager applet programming. and then try executing them (see the output examples). LABNMS-2001 © 2013 Cisco Systems. Feel free to experiment and modify the applets to create more advanced solutions. Each applet would present new programming elements and tools available in EEM. providing an example using an EEM CLI applet. All rights reserved . It is also highly recommended to turn on relevant debugging commands (see the above debugging reference) and use the different show commands provided above.

” command Script Logic:  Use the “event cli pattern” event detector to catch any relevant command by matching a regular expression..  The syslog action allows publishing a customer syslog event  The puts actions writes a string to the active terminal  Setting the _exit_status variable to “0” would block the executed command (“1” would allow the original command to run after script execution) Introduced EEM Elements:  event cli  action syslog  action puts  Using _exit_status Example: ! event manager applet BLOCK-CLI-SHOW-BEEP event cli pattern "^show beep" mode "exec" enter action 1. Inc.424: %HA_EM-6-LOG: BLOCK-CLI: BEEP! Tip: If the cli pattern is in another mode than “exec” it is possible to identify the mode by running “debug event manager all” and execute the required command: LABNMS-2001 © 2013 Cisco Systems.. All rights reserved .0 set _exit_status "0" ! Output Example: Router#show beep BEEP! Router# *Nov 24 20:58:18.1 puts "BEEP!" action 2.Task 1 – Block a CLI Command Goal: Use an EEM applet to block the “show beep .0 syslog msg "BEEP!" action 1.

856: check_eem_cli_key: line=show beep mode=exec Tip 2: Using _exit_status=0 allows creating new CLI commands. Matching for an undefined CLI string can trigger a script which can perform custom tasks. A common example is combining the partial (using | include) output of multiple show commands creating an overview “show status” command (see Error! Reference source not found.Router#debug event manager all Router#show beep … *Nov 24 20:56:29. Inc. All rights reserved .) LABNMS-2001 © 2013 Cisco Systems.

Task 2 – Control CLI Command Execution Rate Goal: Use an EEM applet to control the rate allowed for any “show” command Script Logic:  Adding the “occurs 3 period 10” to the “event cli” detector allows triggering the script only if it occurs at least 3 times in a period of 10 seconds Introduced EEM Elements:  event . please slow down Tip: The “occurs X period Y” option is available on other event detectors. Inc. track objects etc. routing update flapping etc. including syslog events.. occurs .560 CET Tue Nov 24 2009 Router#show clock *21:14:09. All rights reserved .0 puts nonewline "Too fast show commands..720 CET Tue Nov 24 2009 Router#show clock Too fast show commands. It can be used to detect different kinds of repeating events allowing detection of events such as link flaps. LABNMS-2001 © 2013 Cisco Systems.0 set _exit_status "0" ! Output Example: Router#show clock *21:14:07. please slow down" action 2.. period  puts nonewline Example: ! event manager applet TOO-FAST-SHOW event cli pattern "show" sync yes occurs 3 period 10 action 1..

@weekly etc)  Full details can be reviewed at http://www. The example script would perform a daily configuration backup task.0 cli command "enable" action 2. If the script is in the configuration. it means that the person who configured it had full config rights CLI commands executed by an EEM script (“action cli command”) can get authorized (for example in case of per-command authorization with TACACS). and starts in low privilege level Introduced EEM Elements:  event timer cron Example: ! event manager applet PERIODIC-CONFIG-SAVE event timer cron name CONFIG-SAVE-TIMER cron-entry "55 23 * * 1-5" action 1. at 23:55  “enable” has to be executed as the script is executed in a separate VTY. Script Logic:  Script is executed every day. Month. All rights reserved . Inc. The username used for authorization is set using the “ event manager session cli username <username>” command LABNMS-2001 © 2013 Cisco Systems. Day of Week ” (similar to unix cron syntax)  Some shortcuts are available ( Monday to Friday. Hour. ml#wp1157622  Note EEM scripts do not pass cli command "copy running-config startup-config" ! Tips:  The cron scheduler syntax is: “Minute.Task 3 – Scheduling Events Goal: Use an EEM applet to execute scripts at specific time of day.

Output Example: Router#cc Router# *Nov 25 09:02:09.Task 4 – Manually Triggered EEM Scripts Goal: Use an EEM applet to create a single line command to perform “clear counters” hiding the [confirm] prompt Script Logic:  “event none” allows manual execution of the script from a CLI command using “event manager run <script-name>”  The “pattern” keyword allows catching a string written to the VTY terminal  Using the alias command will allow easy execution of the new command Introduced EEM Elements:  “event none” and manually running EEM applets  Matching CLI prompts (pattern)  Using a CLI alias to run EEM applets Example: ! event manager applet CLEAR-COUNTERS event none action 1.0 cli command "clear counters" pattern "\[confirm\]" action 3. All rights reserved .0 cli command "y" ! alias exec cc event manager run CLEAR-COUNTERS ! Tips:  “debug event manager action cli” would allow seeing the operation of the scripts  Note the escape sequence “\[“ instead of just using a “[“ character.517: %CLEAR-5-COUNTERS: Clear counter on all interfaces by on vty0 (EEM:CLEAR-COUNTERS) LABNMS-2001 © 2013 Cisco Systems. and have to be escaped using “\”.0 cli command "enable" action 2. Inc. The “[“ (and “]”) have a special meaning in regular expressions.

This is done using an “if” action.  We would be monitoring two different events: o Ethernet0/0 receive BPS rate crossing 128000 bps o Ethernet0/1 receive PPS rate crossing 100 pps  If the above thresholds have been crossed. an exit event would be triggered  The “exit-event true” statement in the events would trigger the script also when the lower threshold has been reached  We use the boolean system variable $_interface_exit_event to detect if the event is an “entry” or “exit” event (high or low threshold). and if the exceed a given threshold.1. or PPS rate on E1/0 drops below 50. we also want to know when the issue has been resolved. This script would monitor the input bit per second (BPS) and packet per second (PPS) counters of an interface.1 syslog priority alerts msg "RED ALERT: $_interface_name $_interface_parameter is $_interface_value" action 1. Script Logic:  Event tags define different events that may be correlated in order to have a combined trigger event for the applet. All rights reserved . an alert would be generated. we use some other system variables which are populated automatically when an “interface” event is triggered. Introduced EEM Elements:  event interface name  multiple events and event correlation triggers  using event detector specific system variables  using the if/else conditional syntax Example: ! event manager applet MONITOR-INTERFACES event tag ETH0-0-RX-BPS interface name Ethernet0/0 parameter receive_rate_bps entry-op gt entry-val 128000 entry-type value exit-op lt exit-val 32000 exit-type value exit-event true poll-interval 1 event tag ETH0-1-RX-PPS interface name Ethernet0/1 parameter receive_rate_pps entry-op gt entry-val 100 entry-type value exit-op lt exit-val 50 exit-type value exit-event true poll-interval 1 trigger correlate event ETH0-0-RX-BPS or event ETH0-1-RX-PPS action 1. Inc.  The “trigger” statement defines the correlation between the 2 different events.  For reporting the event.Task 5 – Monitor Interface Parameters Goal: Use an EEM applet to react to crossing a counter threshold on an interface.2 else LABNMS-2001 © 2013 Cisco Systems.0 if $_interface_exit_event eq 0 action 1. so if BPS rate on E0/0 drops below 32000 bps.

R102#ping Protocol [ip]: Target IP address: 10.3. In order to get a high BPS rate. This will make the opposite router to generate a high rate of packets.1 syslog priority informational msg "GREEN ALERT: $_interface_name $_interface_parameter is $_interface_value" action 1.. Tips:  In order to see which system variables are available for each of the different event detectors it is possible to use the “show event manager detector <name> detailed” Router#show event manager detector interface detailed . All rights reserved . Inc.100.4 ! end Output Example: *Jul 29 08:34:32. it is also possible to increase the ping packet size. 1000-byte ICMP Echos to 10.action %HA_EM-1-LOG: MONITOR-INTERFACES: RED ALERT: Ethernet0/0 receive_rate_pps is 320 How to Test: In order to generate traffic on the links being monitored by the script. Applet Built-in Environment Variables: $_event_id $_event_type $_event_type_string $_event_pub_time $_event_pub_sec LABNMS-2001 © 2013 Cisco Systems.. timeout is 0 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! If the ping operation is taking too long to complete (due to a high repeat count). it is possible to log in into the opposite router on the other side of the link. it is recommended to use an extended ping command using a high count of ping packets and a timeout of 0..100 Repeat count [5]: 10000 Datagram size [100]: 1000 Timeout in seconds [2]: 0 Extended commands [n]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 10000. In order to generate a high rate of packets. it is possible to break it using the break sequence CTRL-SHIFT-6. and use the ping command to generate traffic.5.

LABNMS-2001 © 2013 Cisco Systems.$_event_pub_msec $_event_severity $_interface_name $_interface_parameter $_interface_is_increment $_interface_value $_interface_delta_value $_interface_exit_event  It is possible to use the “elseif” action for more conditions in the “if” structure. All rights reserved . Inc.

All rights reserved . a pair of tunnels are used to provide connectivity to the remote hub sites. the directly connected subnet 10.        Introduced EEM Elements: LABNMS-2001 © 2013 Cisco Systems.10.1-4.1. R102.  When the primary path fails. Tunnel101 is the backup tunnel. The script would use a “while” loop to ping the remote side of Tunnel100. Inc.1-4.10. The script uses a “regexp” action to match the “!!!!” outpu t of the ping command. and only then shut down Tunnel101 again.100/24 R102 10. Script Logic: Figure 3 Logical Lab Topology Primary R100 Lo0: 10.20. and is kept shutdown as long as the primary path is active. but only after verifying the primary path has fully converged. the backup path should be activated  When the primary path is restored. One script should detect the primary path failing. This is done by another EEM script. triggering the “event routing” in “RECOVER PRIMARY-PATH”. the backup path should be deactivated. which would perform “no shut” to interface Tunnel101 When Tunnel100 recovers. Track 10 going down would trigger “ENABLE-BACKUP-PATH”. and should be enabled at all times.Task 6 – Switch between Primary and Backup Paths Goal: Use an EEM applet to react on primary link failure and restoration. Tunnel100 is the primary tunnel.1.10. we should probe the primary path and make sure it is restored.10.100/32 2001::100/128 E0/0-E0/3 10. and only after it becomes available would perform “shut” for interface Tunnel101.101/32 2001::101/128 R101 Backup  On the spoke router.0/24 would be added into the routing table. and enable (no shut) Tunnel 101 As soon as the primary path is restored.101/24 E0/0-E0/3 Lo0: 10. Track object 10 tracks the line protocol of Tunnel 100 (note that Tunnel 100 is configured with Keepalive enabled).20.

but any prefix which falls inside a predefined subnet BACKUP LINK ACTIVATED" ! event manager app RECOVER-PRIMARY-PATH event routing network 10.20. The “show track <id>” command would show how much time left for the state delay to All rights reserved . LABNMS-2001 © 2013 Cisco Systems.0/24 type add maxrun 30 action 001 cli command "enable" action 002 set done 0 action 003 while $done ne 1 action 004 wait 5 action 005 cli command "ping 2001:20:20::100" action 006 regexp "!!!!!" "$_cli_result" action 007 if $_regexp_result eq 1 action 008 cli command "config t" action 009 cli command "int Tunnel101" action 010 cli command "shut" action 011 cli command "end" action 012 set done 1 action 013 end action 014 end action 015 syslog priority alerts msg "PRIMARY LINK IS ml#wp1156862  The “track” object can be enhanced to delay any down or up event from propagating into the triggered event by configuring the “delay up/down” command under the track object configuration.20. BACKUP LINK DEACTIVATED" ! Tips:  The “routing” event detector can detect not only specific prefixes. This can allow more advanced policies which trigger events only after a certain condition is stable for a while. Inc.     track objects and the track event detector event routing event detector using the “regexp” action using while loops using the _cli_result system variable Example: ! track 10 interface Tunnel100 line-protocol ! event manager applet ENABLE-BACKUP-PATH event track 10 state down action 001 cli command "enable" action 002 cli command "conf t" action 003 cli command "int tunnel 101" action 004 cli command "no shut" action 005 syslog priority alerts msg "PRIMARY LINK IS DOWN. For the complete syntax please refer to: http://www.

.html# wp1163288 Stub tracking objects can be configured to be used through the “tr ack set/read” EEM wp1158894 Output Example: R102#debug event manager action cli Debug EEM action cli debugging is on R102#debug event manager detector routing Debug EEM Routing Event Detector debugging is on (Perfromed “shut” on interface Tunnel100 on R100) R102# R102# *Nov 24 09:14:45. Inc. These track objects can maintain states inside or between different runs of EEM applets using the EEM actions “track set” and “track read”.http://www.100 (Tunnel100) is down: interface down . *Nov 24 09:14:45.438: %DUAL-5-NBRCHANGE: EIGRP-IPv6 1: Neighbor FE80::A8BB:CCFF:FE00:6400 (Tunnel100) is down: interface down *Nov 24 %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100. All rights reserved .cisco.438: %TRACKING-5-STATE: 10 interface Tu100 line-protocol Up->Down *Nov 24 09:14:45.478: R102> *Nov 24 09:14:45.20.478: R102>enable *Nov 24 09:14:45. ml#wp1098882 Track objects can also track ip routes and IP SLA probes ( R102#conf t %HA_EM-6-LOG: ENABLE-BACKUP-PATH : DEBUG(cli_lib) : : CTL : %HA_EM-6-LOG: ENABLE-BACKUP-PATH : DEBUG(cli_lib) : : OUT : %HA_EM-6-LOG: ENABLE-BACKUP-PATH : DEBUG(cli_lib) : : IN : %HA_EM-6-LOG: ENABLE-BACKUP-PATH : DEBUG(cli_lib) : : OUT : %HA_EM-6-LOG: ENABLE-BACKUP-PATH : DEBUG(cli_lib) : : IN : LABNMS-2001 © 2013 Cisco Systems. *Nov 24 R102# *Nov 24 09:14:45.html# wp1163396) ( cli_open called.html# wp1163622 In order to get faster response from track object events the “track timer” command should be wp1163503) Multiple track objects can be combined to create complex logical conditions and trigger EEM applets with the “track list” command: http://www.446: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10. changed state to down *Nov 24

0/255.20. 100-byte ICMP Echos to 2001:20:20::100.002: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) Type escape sequence to abort..255.20. *Nov 24 09:15: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : R102# R102# *Nov 24 09:15:03.990: %HA_EM-6-LOG: ENABLE-BACKUP-PATH : DEBUG(cli_lib) : : OUT : R102(config-if)# *Nov 24 09:14:45.302: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.754: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) R102#ping 2001:20:20::100 *Nov 24 09:15:06.002: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) !!!!! *Nov 24 09:15:06.002: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) Sending 5.130: %SYS-5-CONFIG_I: Configured from console by vty0 R102# *Nov 24 09:14:48.0 *Nov 24 09:15:00. *Nov 24 09:15:00. one per line. network=10. BACKUP LINK ACTIVATED *Nov 24 09:14:46.20. %TRACKING-5-STATE: 10 interface Tu100 line-protocol Down->Up EEM routing ED: event to match: type=add..126: %HA_EM-6-LOG: ENABLE-BACKUP-PATH : DEBUG(cli_lib) : : OUT : R102(config-if)# *Nov 24 09:14:46. R102# *Nov 24 09:15:00.*Nov 24 09:14:45.126: %HA_EM-6-LOG: ENABLE-BACKUP-PATH : DEBUG(cli_lib) : : CTL : cli_close called.586: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : R102>enable *Nov 24 09:15:00.002: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) Success rate is 100 percent (5/5).546: *Nov 24 09:15:00. 0/0/0 OUT : : : IN : : : OUT : : : OUT : : : OUT : : : OUT : : : OUT : . R102# *Nov 24 09:14:46.550: mask=255..100 (Tunnel100) is up: new adjacency .586: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : R102> *Nov 24 09:15:00. round-trip min/avg/max = 0/0/4 ms *Nov 24 09:15:06.562: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : cli_open called. End with CNTL/Z.0 matched ge/le/ne: 10. timeout is 2 seconds: *Nov 24 09:15:06. .550: pattern network/len/. All rights reserved CTL : OUT : IN : %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100.255. *Nov 24 09:14:45.738: %HA_EM-6-LOG: ENABLE-BACKUP-PATH : DEBUG(cli_lib) : : OUT : Enter configuration commands.20.0/24.738: %HA_EM-6-LOG: ENABLE-BACKUP-PATH : DEBUG(cli_lib) : : IN : R102(config)#int tunnel 101 *Nov 24 09:14:45. *Nov 24 09:15:06.070: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel101. EEM routing ED: network/mask: 10.002: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) R102# LABNMS-2001 © 2013 Cisco Systems.738: %HA_EM-6-LOG: ENABLE-BACKUP-PATH : DEBUG(cli_lib) : : OUT : R102(config)# *Nov 24 09:14:45.054: %LINK-3-UPDOWN: Interface Tunnel101.20..0.20.434: %DUAL-5-NBRCHANGE: EIGRP-IPv6 1: Neighbor FE80::A8BB:CCFF:FE00:6400 (Tunnel100) is up: new adjacency R102# *Nov 24 09:15:05. changed state to up *Nov 24 09:14:48.546: changed state to up *Nov 24 09:15:00.255. Inc. changed state to up R102# R102# R102# R102# (Perfromed “no shut” on interface Tunnel100 on R100) R102# *Nov 24 09:15:00.126: %HA_EM-1-LOG: ENABLE-BACKUP-PATH: PRIMARY LINK IS DOWN.20.990: %HA_EM-6-LOG: ENABLE-BACKUP-PATH : DEBUG(cli_lib) : : IN : R102(config-if)#no shut *Nov 24 09:14:46.

R102# *Nov 24 09:15:08.522: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : CTL : cli_close called.*Nov 24 09:15:06. BACKUP LINK DEACTIVATED R102# *Nov 24 09:15:06.0. Inc.894: EEM routing ED: event to match: type=remove.522: %HA_EM-1-LOG: RECOVER-PRIMARY-PATH: PRIMARY LINK IS RESTORED.390: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : IN : R102(config-if)#end *Nov 24 09:15:06. All rights reserved . End with CNTL/Z.522: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : OUT : R102# *Nov 24 09:15:06. network=10.002: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : IN : R102#config t *Nov 24 09:15:06.330: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel101.894: EEM Routing ED: num_matches = 0 LABNMS-2001 © 2013 Cisco Systems.21.134: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : OUT : R102(config)# *Nov 24 09:15:06.422: %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:RECOVER-PRIMARY-PATH) R102# *Nov 24 09:15:06.0 *Nov 24 09:15:09.20. mask=255. *Nov 24 09:15:09.318: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.101 (Tunnel101) is down: interface down *Nov 24 09:15:06. proc=2048.390: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : OUT : R102(config-if)# *Nov 24 09:15:06.894: EEM routing ED: RIB update: event=2.134: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : IN : R102(config)#int Tunnel101 *Nov 24 09:15:06.255.310: %DUAL-5-NBRCHANGE: EIGRP-IPv6 1: Neighbor FE80::A8BB:CCFF:FE00:6500 (Tunnel101) is down: interface down *Nov 24 09:15: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : OUT : R102(config-if)# *Nov 24 09:15:06. *Nov 24 09:15:06. one per line.262: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : IN : R102(config-if)#shut *Nov 24 09:15:06. changed state to down R102# *Nov 24 09:15:09.310: %LINK-5-CHANGED: Interface Tunnel101. changed state to administratively down *Nov 24 09:15:08. table=0.134: %HA_EM-6-LOG: RECOVER-PRIMARY-PATH : DEBUG(cli_lib) : : OUT : Enter configuration commands.

<<Spoke Interfaces>>.3 004.6 regexp "<<(. the interface operational status is extracted.1 foreach _inf "$_SERVICE_INF_LIST" ".*)\r$" $_line if $_regexp_result eq 1 puts $_str1 LABNMS-2001 © 2013 Cisco Systems.4 004. and printed in a custom format Introduced EEM Elements:  Matching an unknown command pattern using a regular expression  Using environment variables for global script parameters  foreach loop to iterate through a list of values  continue keyword inside a loop  regexp matching and extraction of sub-strings Example: ! event manager environment _SERVICE_INF_LIST <<Core Interfaces>>." action action action action action action 004.1 cli command "ena" action 003.Eth0/0.1 action 006. This variable holds a list of interfaces grouped into logical groups. o Each time a regular interface is found.<<Spoke Tunnels>>. ! event manager applet SHOW_STATUS event cli pattern "(sh|sho|show)\s+(stat|statu|status)" mode "exec" enter action 001. The rest of the operations inside the loop instance are skipped using the “continue” action.Tun100.Task 7 – Consolidated Custom Status Command Goal: Use an EEM applet to create a custom consolidated “show status” command Script Logic:  Add a new CLI command (“show status”) by using the “cli” event detector  The event detector would match a non-existing command. and would execute the required actions  The command matching uses a regular expression that would allow partial command matching (for example “sh stat” or “sho statu”)  We use a global environment variable (_SERVICE_INF_LIST) which is defined in the router configuration.1 _match _str1 action 007.*)>>" $_inf _match _str1 if $_regexp_result eq 1 puts "\n$_str1" puts "------------------------" continue end cli command "show interface $_inf" foreach _line $_cli_result "\n" regexp "^(.*.Eth0/3.2 004. All rights reserved action 005.3 . Inc.Eth0/2.  A “foreach” loop iterates through all the values in _SERVICE_INF_LIST. o Each time a group name is found (<<xxx>>) a group header is printed.1 action 007. The group names are marked with <<GROUP NAME>>.* is . line protocol is .Eth0/1.5 004.2 action 007.1 004.Eth1/0.

4 end regexp "^(.* input rate .1 010. 0 packets/sec 30 second output rate 0 bits/sec.2 010.*)\r$" $_line _match if $_regexp_result eq 1 puts $_match end regexp "^(. 2 packets/sec Spoke Tunnels -----------------------Tunnel100 is up.3 008.*Description. line protocol is up Description: TO HUB2-R101 30 second input rate 0 bits/sec.2 end ! Output Example: R100#show stat Core Interfaces -----------------------Ethernet0/0 is up. line protocol is up Description: TO HUB2-R101 30 second input rate 0 bits/sec. line protocol is up 5 minute input rate 0 bits/sec.2 009.*)\r$" $_line _match if $_regexp_result eq 1 puts $_match end regexp "^(. line protocol is up Description: TO HUB2-R101 30 second input rate 0 bits/sec.*)\r$" $_line _match if $_regexp_result eq 1 puts $_match end action 099. Inc.2 008. 0 packets/sec 30 second output rate 0 bits/sec. 0 packets/sec 30 second output rate 0 bits/sec. All rights reserved .4 010. 0 packets/sec 30 second output rate 0 bits/sec.3 009. 0 packets/sec Ethernet0/2 is up. 0 packets/sec Ethernet0/3 is up.* output rate . line protocol is up 5 minute input rate 1000 bits/sec. 0 packets/sec Ethernet0/1 is up.4 009. 0 packets/sec 5 minute output rate 0 bits/sec. 0 packets/sec Spoke Interfaces -----------------------Ethernet1/0 is up. 2 packets/sec 5 minute output rate 1000 bits/sec.1 008.4 action action action action action action action action action action action action 008. line protocol is up Description: TO HUB2-R101 30 second input rate 0 bits/sec.action 007.3 010.1 009.1 end action 099. 0 packets/sec Tips: LABNMS-2001 © 2013 Cisco Systems.

allowing content extraction from the matched string portion: o Any other parameters (4th and on) on the regexp command would be populated by extracted parts of the string (marked with ‘(‘ and ‘)’ in the pattern) o The $_regexp_result system variable would hold a Boolean (0/1) result of the last regexp All rights reserved . This would allow iterating through a list of lines (for example all the lines in the output of a show command or as it is used later in task 4) o http://www. (used in CLI “| include” syntax) – note the “ | inc rate_” A more complete reference to Cisco regular expression support can be found at and would make the current loop skip to the next iteration. The regexp action matches a pattern (1st parameter) in the string that follows it (2nd parameter).cisco.beginning of line o $ .cisco. o separated by the provided field separator o The field separator used in the foreach action could be “\n”.cisco.html#wp1139025 The different regular expression strings used in the example include the following shortcuts: o \s – match any white space o \r – carriage return o \n – new line (note that a show output end of line is matched with \r\n) o .html   The foreach loop action would iterate through all the fields in the provided string list. Inc.html#GUID-A9FDB5DC-ED8F-422B-BE4B-B59DE5A1D0B4 The continue action would skip over later command. The 3rd parameter would be populated with whatever part of the string was matched by the whole pattern.html#GUID-5A6D5C59-2EEF-44FE-B336-2F66FDC38757 You can also use the “while” loop to match for a loop condition http://www.end of line o _ .html#GUID-5010385D-272C-48F7-BDE6-F413A44F3523   LABNMS-2001 © 2013 Cisco Systems.* would match any (also zero) number of any characters o ^ .

6. and the script is aborted  If a neighbor is deleted (for example if interface is down).102" LABNMS-2001 © 2013 Cisco Systems.Task 8 – Secure Automatic Provisioning Goal: Provision link configuration only when a specific neighbor is detected Script Logic:  Use the “neighbor-discovery” event detector to detect new or expired CDP neighbors. the interface is provisioned  If an unexpected hostname is detected. the interface is disabled as a security measure. Inc. and “trigger”)  if/else/elseif logical operations Example:  Note This example should be deployed on router R102 in the topology event manager applet AUTO_PROVISION_LINKS event tag CDP-ADD neighbor-discovery interface regexp (Ethernet0/0|Ethernet1/0) cdp add event tag CDP-DEL neighbor-discovery interface regexp (Ethernet0/0|Ethernet1/0) cdp delete trigger correlate event CDP-ADD or event CDP-DEL action 001 cli command "ena" action 002 cli command "conf t" action 003 cli command "interface $_nd_local_intf_name" action 004 if $_nd_notification eq "cdp-delete" action 005 cli command "interface $_nd_local_intf_name" action 006 cli command "no ip address" action 007 syslog priority alerts msg "Uplink device $_nd_cdp_entry_name on interface $_nd_local_intf_name is no longer detected. the IP configuration is deleted Introduced EEM Elements:  Neighbor-discovery event detector  Event correlation (using “event tag”." action 008 elseif $_nd_notification eq cdp-add action 009 action 010 action 011 if $_nd_local_intf_name eq "Ethernet0/0" if $_nd_cdp_entry_name eq "R101" set ip_addr "10. IP Address configuration removed. and only if it matches the expected hostname.  Correlate either one of the two different events: o CDP add neighbor o CDP delete neighbor  If a new neighbor is detected on the uplink interfaces. All rights reserved . the remote hostname is checked.1.

255." action 024 cli command "shut" action 025 exit action 026 action 027 end end action 028 cli command "ip address $ip_addr $ip_mask" action 029 syslog priority informational msg "Uplink device $_nd_cdp_entry_name on interface $_nd_local_intf_name detected.5.00 node0/0 RP <skipped> Applet Built-in Environment Variables: $_event_id $_job_id $_event_type $_event_type_string $_event_pub_time $_event_pub_sec $_event_pub_msec $_event_severity COMMON VARIABLES: $_nd_notification $_nd_intf_linkstatus $_nd_intf_linestatus $_nd_local_intf_name $_nd_short_local_intf_name $_nd_port_id CDP EVENT VARIABLES: $_nd_protocol $_nd_proto_notif $_nd_proto_new_entry $_nd_cdp_entry_name $_nd_cdp_hold_time $_nd_cdp_mgmt_domain $_nd_cdp_platform $_nd_cdp_version LABNMS-2001 © 2013 Cisco Systems.1." action 030 end Tips:  All system variables used by a specific event detector can be seen in IOS by using the following command: router#show event manager detector neighbor-discovery detailed No. IP Address configuration applied. Interface is disabled.102" set ip_mask "255.action 012 set ip_mask "255. Inc." action 015 cli command "shut" action 016 exit action 017 end action 018 action action action action 019 020 021 022 elseif $_nd_local_intf_name eq "Ethernet1/0" if $_nd_cdp_entry_name eq "R100" set ip_addr "10.255. Interface is disabled.255. All rights reserved .255.0" else action 023 syslog priority alerts msg "Unexpected device detected on interface $_nd_local_intf_name ($_nd_cdp_entry_name). Name Version Node Type 1 neighbor-discovery 01.0" action 013 else action 014 syslog priority alerts msg "Unexpected device detected on interface $_nd_local_intf_name ($_nd_cdp_entry_name).

* cdp add event tag CDP-DELETE neighbor-discovery interface regexp .356: %HA_EM-6-LOG: AUTO_PROVISION_LINKS: Uplink device R101 on interface Ethernet0/0 detected.* cdp delete trigger correlate event CDP-ADD or event CDP-DELETE action 100 puts "_nd_notification=$_nd_notification" action 101 puts "_nd_intf_linkstatus=$_nd_intf_linkstatus" action 102 puts "_nd_intf_linestatus=$_nd_intf_linestatus" action 103 puts "_nd_local_intf_name=$_nd_local_intf_name" action 104 puts "_nd_short_local_intf_name=$_nd_short_local_intf_name" action 105 puts "_nd_port_id=$_nd_port_id" action 110 puts "_nd_protocol=$_nd_protocol" action 111 puts "_nd_proto_notif=$_nd_proto_notif" action 112 puts "_nd_proto_new_entry=$_nd_proto_new_entry" action 113 puts "_nd_cdp_entry_name=$_nd_cdp_entry_name" action 114 puts "_nd_cdp_hold_time=$_nd_cdp_hold_time" action 115 puts "_nd_cdp_mgmt_domain=$_nd_cdp_mgmt_domain" action 116 puts "_nd_cdp_platform=$_nd_cdp_platform" action 117 puts "_nd_cdp_version=$_nd_cdp_version" action 118 puts "_nd_cdp_capabilities_string=$_nd_cdp_capabilities_string" action 119 puts "_nd_cdp_capabilities_bits=$_nd_cdp_capabilities_bits" Output Example: R102#conf t Enter configuration commands. Inc. All rights reserved . changed state to up *May 11 21:10:55. the following test script can be used: event manager applet TEST-ND event tag CDP-ADD neighbor-discovery interface regexp . IP Address configuration applied.$_nd_cdp_capabilities_string $_nd_cdp_capabilities_bits $_nd_cdp_capabilities_bits_[0-31] LLDP EVENT VARIABLES: $_nd_protocol $_nd_proto_notif $_nd_proto_new_entry $_nd_lldp_chassis_id $_nd_lldp_system_name $_nd_lldp_system_description $_nd_lldp_ttl $_nd_lldp_port_description $_nd_lldp_system_capabilities_string $_nd_lldp_enabled_capabilities_string $_nd_lldp_system_capabilities_bits $_nd_lldp_enabled_capabilities_bits $_nd_lldp_capabilities_bits $_nd_lldp_capabilities_bit_[0-31]  In order to figure out how all the different parameters used by the neighbordiscovery event detector. changed state to up R102(config-if)# R102(config-if)# *May 11 21:11:26. R102(config-if)# LABNMS-2001 © 2013 Cisco Systems. R102(config)#int e0/0 R102(config-if)#no shut R102(config-if)# *May 11 21:10:54. End with CNTL/Z.364: %LINK-3-UPDOWN: Interface Ethernet0/0.372: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0. one per line.

255.5.R102(config-if)#do show run int e0/0 Building configuration. Inc.Source Route Bridge S . r . P ..1.255.Two-port Mac Relay Device ID R101 R100 Local Intrfce Eth 0/0 Eth 1/0 Holdtme 168 140 Capability R R Platform Port ID Solaris U Eth 1/0 Solaris U Eth 1/0 R102#show run int e1/0 Building configuration.102 255. Current configuration : 87 bytes ! interface Ethernet0/0 description TO R101 ip address 10. changed state to administratively down *May 11 21:12:07.Remote. I .052: %LINK-5-CHANGED: Interface Ethernet0/0.Host.CVTA.0 load-interval 30 end R100(config)#hostname NOT_R100 LABNMS-2001 © 2013 Cisco Systems. C ..Router.. T . IP Address configuration removed.Trans Bridge.6. B .Repeater.956: %HA_EM-1-LOG: AUTO_PROVISION_LINKS: Uplink device R101 on interface Ethernet0/0 is no longer detected. D .IGMP. changed state to down R102(config-if)# R102(config-if)# R102(config-if)#do show run int e0/0 Building configuration.102 255.255.Switch.255.. Current configuration : 105 bytes ! interface Ethernet1/0 description TO R100 ip address 10.1..052: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0. All rights reserved . M .0 end R102(config-if)#int e0/0 R102(config-if)#shut R102(config-if)# *May 11 21:12:04.Phone. Current configuration : 75 bytes ! interface Ethernet0/0 description TO R101 no ip address shutdown end ------------------------------------------------------------------------- R102#show cdp neighbors Capability Codes: R . H .. R102(config-if)# *May 11 21:12:06.

127: %HA_EM-1-LOG: AUTO_PROVISION_LINKS: Unexpected device detected on interface Ethernet1/0 (NOT_R100). Interface is disabled.R102# *May 11 21:21:40. R102#show run int e1/0 Building configuration.. Inc. Current configuration : 93 bytes ! interface Ethernet1/0 description TO R100 no ip address load-interval 30 shutdown end LABNMS-2001 © 2013 Cisco Systems. All rights reserved ..

LABNMS-2001 © 2013 Cisco Systems. All rights reserved . Inc.

Appendix I Figure 4 provides a reference to the different EEM event detectors available in the different Cisco software trains and versions: Figure 4 Event Detector Support Matrix LABNMS-2001 © 2013 Cisco Systems. Inc. All rights reserved .

00 node0/0 .7 eem-call-home: (v310_throttle)1.6 Event Detectors: Name Version Node application 01.00 node0/0 routing 02.10 Component Versions: eem: (v310_throttle) node0/0 track 01.00 node0/0 resource 01.1. Type RP RP RP RP RP LABNMS-2001 © 2013 Cisco Systems. All rights reserved .10 eem-gold: (v310_throttle)1...00 node0/0 syslog 01.Figure 5 shows the mapping between the EEM version and the different IOS version trains available: Figure 5 IOS to EEM Version Mapping The following command provides the EEM version on an IOS device: Router#show event manager version Embedded Event Manager Version 3. Inc.