cisco embedded event manager (eem): technical deep dive (ios advantage webinar)

© 2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco IOS Advantage Webinars Network Automation Techniques Using Embedded Event Manager (EEM)

David Lin, Joe Clarke, Davra Networks

We’ll get started a few minutes past the top of the hour.

Note: you may not hear any audio until we get started.


Speakers

David Lin

Product Manager

[email protected]

Davra Networks

Paul Glynn, CEO

[email protected]

Joe Clarke

Distinguished Support Engineer

[email protected]

Panelists

Jason Pfeifer

Technical Leader

[email protected]

mailto:[email protected]





• Submit questions in Q&A panel and send to “All Panelists”

Avoid CHAT window for better access to panelists

• For Webex audio, select COMMUNICATE > Join Audio Broadcast

• For Webex call back, click ALLOW Phone button at the bottom of Participants side panel

• Where can I get the presentation?

https://communities.cisco.com/docs/DOC-28743

Or send email to: [email protected]

• Please fill in Survey at end of event

• Join us on May 2 for our next IOS Advantage Webinar:

Securing the Access Layer



• Real World Network Automation Techniques

• Recent Use Cases - a TAC Perspective

• What’s New in EEM 4.0

• Q&A


Use Case 1: Every few weeks a router is running low on memory around 2am, and I want to find out what’s happening

• Solution: EEM script could be triggered based on the memory utilization, capture the memory information and send the output with Syslog or Email

Use Case 2: If my ACL configuration gets changed, I want to get notified, but I can’t sit there monitor it all the time

• Solution: EEM script could be triggered by CLI command, take a snapshot of the logged in user, changed configuration, and send an email to you

Use Case 3: I want to save energy, but I can’t go around turn off everyone’s IP phone everyday

• Solution: Timer ED can be used to trigger the execution of an EEM script to turn off your IP phone at 7pm everyday and turn it back on 7am the next day


• Creating custom SNMP OIDs for polling

• Running CLI commands periodically

• Remote command invocation

• Bypassing AAA authorization

• Monitoring configuration changes


• Requirement: EEM needs to provide a way to poll results of the policies rather than simply send updates via syslog, trap, etc.

• Solution: Use the Cisco EASy package to create custom MIB objects based on the output within a CLI command.

• EXPRESSION-MIB plus the Embedded Event Manager provide a way to gather data only available via Command Line Interface (CLI), even if there is no MIB support currently available


1

• Is a certain value from a show command supported in a specific MIB?

SNMP

Manager SNMP

Agent

2 EXPRESSION-

MIB/RFC2982

support

CustomMIB EEM

policy

3

Polling request on our

“Custom-MIB” [MIB

Value - expExpression]

4

5


• EASy package is available at http://tools.cisco.com/squish/b35c5

• Modified version available at https://supportforums.cisco.com/docs/DOC-19587

Supports multiple show commands

Customizable expression names

• Custom solutions can be discussed at http://www.cisco.com/go/ciscobeyond

http://tools.cisco.com/squish/b35c5


https://supportforums.cisco.com/docs/DOC-19587



http://www.cisco.com/go/ciscobeyond


1. Run a CLI command periodically

2. Extract a value from the output

3. Check value

4. Perform actions based on results

5. Profit!!!


event manager applet periodic-cmd

event timer watchdog time 60

action 001 handle-error type ignore

action 002 context retrieve key PCMDCTX variable pauses

action 003 if $_error ne FH_EOK

action 004 set pauses 0

action 005 end

action 006 handle-error type exit

action 007 cli command "enable"

action 008 cli command "show interface FastEthernet0/0 | inc pause input"

action 009 regexp "([0-9]+) input pause" $_cli_result match rxpauses

action 010 if $rxpauses gt $pauses

action 011 subtract $rxpauses $pauses

action 012 action_syslog msg "Interface FastEthernet0/0 has seen $_result

input pauses in the past 60 seconds"

action 013 end

action 014 set pauses $rxpauses

action 015 context save key PCMDCTX variable pauses

Our command to run

periodically


::cisco::eem::event_register_timer watchdog time 60

namespace import ::cisco::eem::*

namespace import ::cisco::lib::*

array set arr_einfo [event_reqinfo]

if {[catch {

if {[catch {set pauses [context_retrieve PCMDCTX pauses]} errmsg]} {

puts "context_retrieve failed: "

}

if {$_error != FH_EOK} {

set pauses 0

}

} _catch_result]} {

# Errors have been ignored.

}

…

Easiest thing to do is go to http://www.marcuscom.com/convert_applet

and convert the applet to Tcl.

http://www.marcuscom.com/convert_applet


• Automate commands on another (maybe non-IOS) device using EEM from a remote device

• EEM can automate connections across multiple protocols

Telnet

Reverse telnet

Session

Remote console

Remote commands

SSH (15.1(4)T and 15.2(2)T and higher)

• EASy package exists to help with this

EASY Command Shell

Download from http://tools.cisco.com/squish/b35c5




array set cli [cli_open]

cli_exec $cli(fd) "enable"

cli_write $cli(fd) "send tty 11\r"

cli_read_pattern $cli(fd) "Enter message"

cli_write $cli(fd) "show version\r"

cli_read_pattern $cli(fd) "Send message”

set output [cli_exec $cli(fd) "\r”]

puts "Version is $output"

cli_close $cli(fd) $cli(tty_id)

Run “show version”

on remote device’s

console

Cisco IOS Software, C2900 (c2900-IPVOICE_IVS-M),

Version 15.2(2)T, DEVELOPMENT TEST SOFTWARE

Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2011 by Cisco Systems, Inc.

Compiled Fri 18-Nov-11 17:09 by prod_rel_team


• By default, all CLI interactions go through AAA command authorization (if configured)

• This can cause performance issues

• EEM 3.1 introduced the ability to bypass AAA authorization on a per-policy basis

Tcl:

::cisco::eem::event_register_syslog pattern “SYS-5-CONFIG_I”

authorization bypass

Applet:

event syslog pattern “SYS-5-CONFIG_I” authorization bypass


• Allow EEM to use VTY 0 all the time for CLI sessions (transport input none)

• VTY 0 will not do any command authorization

• CAVEAT: Only one EEM policy needing CLI can run at a time

• More details at http://tools.cisco.com/squish/943C1

aaa authentication login EEMScript none

aaa authentication login default group tacacs+ local

aaa authorization exec EEMScript none

!

aaa authorization command 0 EEMScript none

aaa authorization commands 1 EEMScript none

aaa authorization commands 15 EEMScript none

!

line vty 0

login authentication EEMScript

authorization exec EEMScript

authorization commands 0 EEMScript



transport input none

length 0

!

http://tools.cisco.com/squish/943C1




• When one leaves “config t” mode a SYS-5-CONFIG_I syslog

message is sent

Config may not have changed

Uninteresting parts of the config may have changed

• EEM can be used to build a “smarter” configuration change monitor

• The config archive feature of IOS will send every configuration message out as a syslog


archive

log config

logging enable

notify syslog contenttype plaintext

!

event manager applet smart-config-monitor

event syslog pattern "PARSER-5-CFGLOG_LOGGEDCMD.*logged

command:[a-zA-Z0-9].*"

action 1.0 regexp "User:([a-zA-Z0-9_\.'-]+).*logged

command:(snmp.*)" $_syslog_msg match user command

action 2.0 if $_regexp_result eq 1

action 2.1 info type routername

action 3.0 mail to "[email protected]" from "[email protected]"

subject "SNMP change on device $_info_routername" body "The

following config was changed by $user on $_info_routername:

$command" server 10.1.1.1

action 4.0 end

Config Archive logging

Only match configuration

changes (i.e., not the

enable EXEC command)

In this example, we only

care about SNMP

changes


Platform/OS Support

• ISRs 15.2(2)T Catalyst 6K Planned / CY’12

• ASR 1K IOS-XE 3.5 Catalyst 4K Planned / CY’13


EEM Security Enhancements

• Checksum based script integrity check

• 3rd party digital signature support

• Script owner identification

• Registration of remote Tcl policies

EEM Email Action Enhancements

• Custom port for SMTP mail actions

• TLS support for SMTP mail actions


EEM Usability Enhancements

• File operations in EEM applet actions

• New fields to track queue size, dropped events, and run-time

EEM Event Detector Enhancements

• CLI event detector enhancement

• Syslog event detector performance enhancement

EEM Resource Management

• Resource Consumption Throttling

• Rate limiting of events



Discussion forums

Ask questions, get answers

Video tutorials

Coming soon!

Cast your vote!

Which scripting language would you

like to see supported in the future?

Script repository

Over 130+ open source scripts,

learn by example



• “Living” document at

https://supportforums.cis

co.com/docs/DOC-12757

• Contains helpful tips and

tricks to get the most out

of EEM

• Great supplement to the

Cisco.com docs






• Cisco Embedded Automation Systems (EASy) unites Cisco IOS technologies and leverages embedded management for automation offering lower TCO for Cisco products

• Goal is to create well-tested, well-documented packages which are easy to install, easy to manage, and easy to service

• Contact [email protected] if you have challenges you would like help solving using Cisco automation

• http://www.cisco.com/go/easy/

http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-rollback_ps6441_TSD_Products_Configuration_Guide_Chapter.html



http://www.cisco.com/go/easy/


Session ID Title Type

BRKCDN-1008 Getting network service and

device visibility via Cisco

ConnectedApps PathTrace

Service Set APIs

Technical breakout – 90

minutes

BRKCRS-3090 Implementing Network

Automations


minutes

LABNMS-4348 Implementing Network

Automation - The Basics

Walk-In Self-Paced Lab


Automation - Intermediate



Automation - Advanced


BRKNMS-2030 Onboard Automation with

Cisco IOS Embedded Event

Manager


hours

BRKNMS-3021 Advanced Cisco IOS

Device Instrumentation


hours

TECCRS-3000 Hands on Embedded Event

Manager in Catalyst

Switches

Technical seminar – 8

hours

TECARC-4434 Manage and Deploy

Borderless Network

Architectures using

Embedded IOS Features

Technical seminar – 4

hours

1. Go to

https://ciscolive201

2.com/scheduler/ca

talog.do

2. Log in

3. Sign up for the

sessions you want

4. We’ll see you there!

https://ciscolive2012.com/scheduler/catalog.do




• EEM is a powerful tool embedded in Cisco routers and switches that provides real-time network event detection and onboard automation.

• EEM’s scripting community, Cisco Beyond, is an established open development community where customers can share scripts, get support, learn best practices, and collaborate with their peers and Cisco subject matter experts.

• EEM Cisco Partners add even more value to the power of EEM by simplifying deployments and improving ease of use.


• Thank you!

• Please complete the post-event survey.

• Join us May 2 for our next webinar:

Securing the Access Layer

To register, go to www.cisco.com/go/iosadvantage

cisco embedded event manager (eem): technical deep dive (ios advantage webinar)

Technology

cisco andor

cisco easy package

cli command enableaction

cli command periodically2

eem script

set pauses

pauses context

command line interface