아래 문서는 Catalyst 스위치 플랫폼에서 EEM 사용법에 대한 기본적인 설명과 사례에 대한 설명입니다.
1-1. EEM Overview
Cisco IOS EEM(Embedded Event Manager)은 실시간 네트워크 이벤트 감지 및 로컬에서 자동화 동작을 제공합니다.
1-2. Software compatibility
EEM은 Cisco IOS Software Release 12.2SX, 12.2SR, 12.2SB, 12.4 및 12.4T, 15.0M, 12.2SG, 12.2SE, Cisco IOS XE 및 이후 버전에서 사용할 수 있고 Cisco IOS XR 및 Cisco NX OS에도 포함되어 있습니다.
이 문서의 정보는 다음 소프트웨어 및 하드웨어 버전을 기반으로 합니다.
-
Cisco IOS Software 버전 16.X 또는 17.X를 실행하는 Cisco Catalyst 9000 스위치.
-
이 문서에 사용된 모든 디바이스는 초기화된(기본) 컨피그레이션으로 시작되었습니다. 현재 네트워크가 작동 중인 경우 모든 명령의 잠재적인 영향을 미리 숙지하시기 바랍니다.
-
이러한 스크립트는 Cisco TAC에서 지원하지 않으며 교육 목적으로 제공됩니다.
1-3. Software packaging
일부 Cisco 제품은 EEM에 대한 라이센스가 필요합니다. 라이센스 정보는 Cisco IOS Software Feature Navigator를 참조하십시오.
2. EM Architecture
EEM은 Event Detector, Embedded Event Manager Server 및 Policy로 구성되여 있습니다.
Event Detector(event publisher) 는 스위치에서 발생하는 이벤트를 추적하고 Event Manager Server로 부터 해당 EEM policy가 트리거 되도록 제어 신호를 보내게 되며 event policy에 정의된 action 들을 순차적으로 실행하게 됩니다.
이로 인해 관리자가 편리하게 이벤트에 대한 감지 및 자동화 동작을 제공 할 수 있도록합니다.
3-1. Script Template
EEM 스크립트는 세 부분으로 구성됩니다
a. Name
b. Event
c. Action
아래처럼 컨피그를 적용하게 되면 Heman이라는 EEM 스크립트가 적용됩니다. 이 스크립트가 모니터링하는 Event는 30초로 설정된 타이머입니다.
즉 30초마다 두 개의 syslog 메시지가 생성됩니다. 즉 정의된 action들이 순차적으로 실행됩니다.
config t
event manager applet Heman
event timer watchdog time 30
action 1.0 syslog msg "I say Hello!"
action 2.0 syslog msg "What's going on?"
3-2. Timers
Timer를 사용하여 특정 시간대 혹은 시간 간격을 두고 주기적으로 EEM 스크립트 트리거 되게 할 수 있습니다.
Timer Type |
Description |
absolute |
Specifies that an event is triggered when the specified absolute time of day occurs.event timer absolute time 13:22:24 |
countdown |
Specifies that an event is triggered when the specified time counts down to zero. The timer does not reset. In seconds.event timer countdown time 600 |
watchdog |
Specifies that an event is triggered when the specified time counts down to zero. The timer automatically resets to the initial value and continues to count down. In seconds.event timer watchdog time 60 |
cron |
Cron is not specific to IOS, it's a generic Linux time-based job scheduler. Cron uses the system clock to schedule one time, and repeating jobs based off of the time, days of the week, days of the month, or the calendar. If your having problems developing a specific cron string try looking it up on Google.A cron time is written using a set of 5 numbers, dashes, forward slash, and asterisk (*) that look like this:event timer cron cron-entry "1 * * * *"The position of the character denotes its function. From left to right:1. Minute (0-59): What minute of the hour the script will run on.2. Hour (0-23): What hour the script will run on, and is specified in the 24 hour clock.3. Day of the month (1-31): What day of the month the script will run on.4. Month (1-12): What month the script will run on.5. Day of Week (0-7): Day of the week. 0 to 6 are Sunday to Saturday, 7 is also SundayAn asterisk is a wildcard, or 'dont care'. A dash (-) denotes a range. The above example can be read "On the first minute of every hour, on every day of the month, on every month, on every day of the week". Or simply put run the script on the first minute of every hour.Here are a few more examples:17 8 * * * --run daily at 8:17 am17 20 * * * --run daily at 8:17 pm00 4 * * 0 --run at 4 am every Sunday42 4 1 * * --run 4:42 am every 1st of the month01 * 19 07 * --run hourly on the 19th of July59 11 * * 1-5 --run at 11:59 Monday, Tuesday, Wednesday, Thursday and FridayYou can also use a forward slash (/) to step field. Meaning that it would be ran like a watchdog. For example:*/1 * * * * --Run every minute* */2 * * * -- Run every two hours |
3-3. State Based Events
State based events는 실시간으로 시스템 상태를 모니터링해서 특정 이밴트가 감지될 때 EEM을 트리거하는 방식입니다. 이는 Syslog 메시지, SNMP 값의 변화가 되겠습니다.
Event Type |
Description |
event snmp oid |
Look for the data of a specific SNMP OID. The data in these come in many data types, strings, ints, and booleans. A logical operator will be needed to trigger the event. For example:event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.3.1 get-type exact entry-op ge entry-val 50 poll-interval1! NOTE - Cat9k may require oid 1.3.6.1.4.1.9.2.1.56 get-type next due to CPU differencesThis oid is the current CPU utilization on a 6800 platform. This will look every second to see if the CPU is higher than 50%, if so the event will trigger. |
event syslog |
Look for a specific string in the syslog:event syslog pattern "UDLD_PORT_DISABLED"Look for the string "UDLD_PORT_DISABLED" anywhere in any new syslog message. |
3-4. Delaying the next run
‘exit-time’ 옵션을 사용해서 EEM script 트리거되는 시간 간격을 정의 할 수 있습니다.
아래 컨피그를 적용하게 되면 "CPURISINGTHRESHOLD" 메시지가 포함된 syslog가 감지되면 high-cpu라는 EEM 스크립트가 트리거 되고 "EEM: HIGH CPU detected!" 라는 syslog가 발생합니다.
그후10초 동안 해당 EEM 스크립트는 비활성화 상태로 바꿔지며 "CPURISINGTHRESHOLD"라는 메시지가 여러번 감지가 되어도 EEM 스크립트가 트리거 되지는 않습니다.
10초라는 dead timer이 끝나고 다시 활성화 될 겁니다.
event manager applet high-cpu exit-time 10
event syslog pattern "CPURISINGTHRESHOLD"
action 0.1 syslog msg "EEM: HIGH CPU detected!"
3-5. Actions
EEM 스크립트가 트리거 되면 모든 action들을 순서대로 실행합니다. 이러한 action들은 syslog, cli명령을 실행하고, 변수 선언,함수 또는 정규식(regex)을 포함할 수 있습니다.
아래와 같이 사용 할 수 있습니다.
Action |
Description |
action 1.0 cli command "<command>" |
Runs the specified CLI command. Just about anything you can manually run on the switch can be done here. Make sure to be in the right priviege mode.Example:action 1.0 cli command "show clock | appendbootdisk:thetime.txt"Run the 'show clock' command and print it to the bootdisk:thetime.txt file. |
action 1.0 wait <seconds> |
Do nothing for X seconds, then continue executing the EEM script |
action 1.0 syslog msg "<txt>" |
Prints the specified text to the system log |
action 1.0 if <var1> <operator> <var2>.....action 1.3 end |
An if statement. The if statement supports variable and is mostly used with them.
action 10 cli command "en"action 11 cli command "show ip arp | in b4e9.xxxx.6a41"action 12 regexp ".*(ARPA).*" $_cli_resultaction 13 if $_regexp_result eq 1action 14 syslog msg $_cli_resultaction 15 elseaction 16 syslog msg "Mac not found!"action 17 endRun the show arp command limited to the specified mac.Check to see if the there are any entries in the results of the show command. If there are print the line to the syslog else report that nothing was found. |
action 1.0 info type snmp <OID> get-type exact and "goto" operator |
Action gets a value and defines it to an internal value for SNMP results. In the example below, we trigger based on a syslog pattern, and then poll the CPU of the switch. Depending on the CPU utilization on that time determined which part of the script we perform actions on.event manager applet CPU_Monitor event syslog pattern "Neighbor Down: BFD node down"action 1.01 info type snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.3.1 get-type exact! NOTE - Cat9k may require "...oid 1.3.6.1.4.1.9.2.1.56 get-type next" due to CPU differencesaction 1.02 if $_info_snmp_value ge "85" goto 1.04action 1.03 if $_info_snmp_value lt "85" goto 1.12action 1.04 syslog priority critical msg " BFD Failure Detected - CPU: $_info_snmp_value Percent - Statistics Logged"action 1.11 cli command "end"action 1.12 syslog priority errors msg " BFD Failure Detected - CPU: $_info_snmp_value Percent - Statistics Logged"action 1.20 cli command "end" |
3-6. System Variables
아래 내용은 자주 사용되는 시스템에서 정의된 변수입니다.
EEM Action |
Variable Name |
Description |
action add |
$_result |
Stores the sum of the previous addition operation |
action cli |
$_cli_result |
Contains the output from thelast CLI command executed. It will be overwritten each time "action cli" is invoked |
action regexp |
$_regexp_result |
A boolean value that indicates whether the regular expression matched. It the match was successful, the value will be '1', else it will be '0'. |
action info type snmp oid |
$_info_snmp_oid, $_info_snmp_value |
The OID and the value of the result of an SNMP GET, GETNEXT, or SET operation. |
3-7. User Variables
아래 처럼 수동으로 사용자 변수를 정의 할 수도 있습니다.
event manager environment my_mac b4e9.xxxx.660c
action 1.0 syslog msg "Detected the mac $my_mac"
3-8. Manually running scripts
Event를 'none' 으로 변경하여 EEM 스크립트를 수동으로 트리거 되게 할 수 있습니다.
event manager applet Heman
event none
action 1.0 syslog msg "I say Hay!"
action 2.0 syslog msg "What's going on?"
CLI 'event manager run <script name>’ 를 실행하게 되면 EEM 스크립트가 실행이 됩니다.
# event manager run Heman
*May 26 05:53:17.354: %HA_EM-6-LOG: Heman: I say Hay!
*May 26 05:53:17.354: %HA_EM-6-LOG: Heman: What's going on
4. Example Scripts
a. UDLD Port disable troubleshooting
event manager applet UDLD_PORT_DISABLED authorization bypass
event syslog pattern "UDLD_PORT_DISABLED" maxrun 60
action 1.0 cli command "enable"
action 1.1 cli command "show clock | append bootdisk:udldeem.txt"
action 2.0 cli command "show interfaces counters | append bootdisk:udldeem.txt"
action 3.0 cli command "show proc cpu sort | append bootdisk:udldeem.txt"
action 4.0 cli command "show proc cpu history | append bootdisk:udldeem.txt"
action 5.0 cli command "show ibc | append bootdisk:udldeem.txt"
action 6.0 cli command "show log | append bootdisk:udldeem.txt"
action 7.0 cli command "debug netdr cap rx"
action 7.1 wait 2
action 8.0 cli command "show netdr cap | append bootdisk:udldeem.txt"
action 9.0 syslog msg "data collection complete"
b. Monitor Mac Learning in Mac-Address-Table and ARP table on Timer
event manager applet mac_trace authorization bypass
event timer watchdog time 30
action 10 cli command "en"
action 113 cli command "show ip arp | in b4e9.xxxx.6a41"
action 120 regexp ".*(ARPA).*" $_cli_result
action 121 if $_regexp_result eq 1
action 126 syslog msg $_cli_result
action 131 end
action 213 cli command "show mac add vlan 1 | in b4e9.xxxx.6a41"
action 220 regexp ".*(DYNAMIC).*" $_cli_result
action 221 if $_regexp_result eq 1
action 226 syslog msg $_cli_result
action 231 end
c. Upgrade a Polaris Switch
event manager applet UPGRADE authorization bypass
event none maxrun 300
action 1.0 cli command "enable"
action 1.1 cli command "install add file flash:cat9k_iosxe.16.06.02.SPA.bin activate commit" pattern "y\/n"
action 1.2 cli command "y" pattern "y\/n"
action 1.3 puts "Fixing to reload"
action 1.5 cli command "y"
d. Shut down a port on a cron timer
event manager applet shut_port authorization bypass
event timer cron cron-entry "0 18 * * 4"
action 1.0 syslog msg "shutting port"
action 1.2 cli command "enable"
action 1.3 cli command "config t"
action 1.4 cli command "int Te2/1/15"
action 1.5 cli command "shutdown"
action 1.6 cli command "end
e. High CPU caused by SNMP
event manager applet high-cpu authorization bypass
event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.3 get-type next entry-op gt entry-val 85 poll-interval 1 exit-time 600 maxrun 400
! NOTE - Cat9k may require "...oid 1.3.6.1.4.1.9.2.1.56 get-type next" due to CPU differences
action 1.1 cli command "enable"
action 1.2 syslog msg "TAC - Capturing high cpu information to sup-bootdisk:"
action 1.3 cli command "term length 0"
action 2.1 cli command "show process cpu sorted | redirect sup-bootdisk:eem-cpu1.txt"
action 2.2 cli command "show stack 598 | redirect sup-bootdisk:eem-cpu1.txt"
5. Reference documents
System Management Configuration Guide, Cisco IOS XE 17.x
Cisco IOS Embedded Event Manager Command Reference
Understand Best Practices and Useful Scripts for EEM
EEM Scripts used to Troubleshoot
Cisco IOS Embedded Event Manager 4.0
Cisco Feature Navigator
