So far we know that we can make routers and switches work the way we want them to. We can also configure them to report certain events. But i believe, a few of us would know that we can make our Cisco equipment act to certain events. We can make them perform scheduled operations (for example taking the config back up every day at 8 AM).
Is it possible that the routers sends out an email to a predefined mail box as soon as it detects some predefined critical event??? Events like:
1) Router restarts !!
2) Neighbor adjacency of EIGRP/OSPF/BGP goes up/down.
3) Any interface goes down/up
4) If the CRCs on a given interface reach a user defined threshold
5) If the received broadcasts on an interface reach a user defined threshold
Now some of you would say that we can do that by using any Network management Systems (eg. Cisco works). But, wouldn't it be great if we do not have to spend extra bucks for buying those software???
This is where Embedded Event Manager comes to rescue.
now let’s get a bit technical::
Normally Router doesn’t take any actions on its behalf when an event occurs. The more complex actions you like to take the more advance NMS you might require. Taking backup periodically or shutting an interface or clearing nat translations or executing some other command on a router when a specific event occurs is not an easy job even through an NMS. The most difficult part is the configuration required to force the router to throw an alert which is normally based on snmp variables or MIB OIDs and then you have to configure the NMS to catch it and perform the blah blah action. As long as you have an extensive training of your NMS i think its a very difficult job.
Keeping all the core technical stuff aside. EEM works in mostly two ways
1) When an EVENT occurs, perform x action.
2) Time based events. Carry out x action on a particular time, whether periodic or once.
Coming on to how to define the events and actions
Objective No.1) Take Router's startup-config backup on 15th of every month.
Now this is a time-based task. So let’s dive into the configuration.
1) R1(config)#event manager applet My_router_backup
This command simply enables the EEM applet My_router_backup. It will be in execution as soon as you exit the applet configuration mode. If you didnt define any event, the applet will be deleted, if you didnt define any action and exit, it will give you a warning. This applet is of no use untill you define an event to occur !!
2) R1(config-applet)#event ?
application Application specific event
cli CLI event
config Configuration policy event
counter Counter event
env Environmental event
gold GOLD event
interface Interface event
ioswdsysmon IOS WDSysMon event
none Manually run policy event
oir OIR event
resource Resource event
rpc Remote Procedure Call event
snmp SNMP event
snmp-notification SNMP Notification Event
syslog Syslog event
tag event tag identifier
timer Timer event
track Tracking object event
As you can see, you can define different types of events here. like, Interface events help you monitor a particular interface value (eg. broadcast received, input rate in bps/pps, output rate in bps/pps etc). Syslog is the most common and easy, it helps you monitor a particular syslog msg and as soon as that syslog message appears on a router you can define an action based on that (dont worry, i will provide an example of this). I hope by now you may have get some idea as to what an event does.
We will select TIMER since our action is not based on any particular event but rather periodic.
2) R1(config-applet)#event timer ?
absolute Absolute timer event
countdown Countdown timer event
cron Cron timer event
watchdog Watchdog timer event
This is easy although it doesn’t seem to but its easy trust me on that ;-).
Absolute time means that exactly when this time happens !! now you know that 3:06:23 11 march 2009 will only come once in your life right ? this is what absolute is ;-). It will occur once and only once at the time that you have defined. But since our task is to do on repeated basis. The timer that we will use is CRON timer.
Cron entries require some in-depth explanation so let’s go for it
Cron entry is composed of 5 fields and written in this form "x x x x x"
1) Min 0-59
2) Hour 0-23
3) Date 1-31
4) Month 1-12
5) Day of week 0-7
Now if i want to say take backup on 15th of every month at 18:00 pm. So lets start from down to up.
1) Min is 00 -> 0
2) Hour is 18 (so enter as it is)
3) Date is 15
4) Month is * (when we cant specify any value, we can simply write * there which would mean no matter which month is it)
5) Day of week * ( we are putting * here since we have already defined the day through date 15, so whichever day it is )
Therefore the cron_entry will be "0 18 15 * *", which mean on 15th of every month at 18:30 pm this action will take place.
2) R1(config-applet)#event timer cron cron_entry "0 18 15 * *"
Ok now the event is defined. Its time to define the action that is to occur when this time check is met. This is the most interesting part of it.
3) R1(config-applet)#action <label/line no.>
A bit about the labels. Nothing complex, you can use any alphabets and numeric here. Keep it simple, if alphabets are allowed here, that doesn’t make it obligatory to use them :-). So just forget you can use alphabets and stick to numbers for indexing purpose. Its purpose is of line numbers. So you can use them like this action 1, action 2, action 3 and so on ;-).
3) R1(config-applet)#action 1 cli command "enable"
This is where the fun starts ;-). After action 1 when you will issue ? you will see a number of different parameters but to save space i have chosen cli which has only 2 parameter -> command and pattern. First using command you can enter any command you like router to configure automatically as a result of above event !! Remember ANY COMMAND YOU WANT ;-). I am writing the entire set and after that i will explain it as whole.
4) R1(config-applet)#action 2 cli command "copy startup tftp:" pattern "remote host"
5) R1(config-applet)#action 3 cli command "10.0.0.1" pattern "filename"
6) R1(config-applet)#action 4 cli command ""
7) R1(config-applet)#action 5 syslog msg "BACKUP IS COPIED, HURRAYYYY"
Ok now don’t panic, it’s all very easy. first let me copy paste the process when i do it manually on the router
R1#copy startup-config tftp:
Address or name of remote host ? 10.0.0.1
Destination filename [r1-confg]?
Now see it carefully. What’s interesting about copy start tftp command ? it REQUIRES input from user, this is where pattern comes in. Through pattern command you tell the <action> that after executing command you shall see SOMETHING like what is defined in the pattern. Now if you see, what will come after i type copy start up tftp, it displays this asking for input
Let’s say, you want to make sure loopback0 never gets shut down accidentally. We can create a EEM applet to watch for the syslog message that loopback0 has been shut down, and automatically bring it back up!
event manager applet WatchLo0
event syslog pattern "Interface Loopback0.* down" period 1
action 2.0 cli command "enable"
action 2.1 cli command "config t"
action 2.2 cli command "interface lo0"
action 2.3 cli command "no shutdown"
action 3.0 syslog msg "Interface Loopback0 was brought up via EEM"
When the lo0 interface is shutdown manually it should trigger the EEM applet and perform the actions that we have defined. Let’s go ahead and test this out.
*Jun 6 11:04:52.006: %SYS-5-CONFIG_I: Configured from console by console
*Jun 6 11:04:53.052: %LINK-5-CHANGED: Interface Loopback0, changed state to administratively down
*Jun 6 11:04:55.536: %LINK-3-UPDOWN: Interface Loopback0, changed state to up
*Jun 6 11:04:56.586: %HA_EM-6-LOG: WatchLo0: Interface Loopback0 was brought up via EEM