Solved: How to use EEM TCL Script in Router?

Dipesh Patel · ‎05-09-2013

Dear All,

I have prepared one TCl Script (it's 1st for testing and understanding).

********************************************** TEST.tcl *******************************************

::cisco::eem::event_register_syslog pattern "Interface FastEthernet0/0, changed state to up"

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

array set arr_einfo [event_reqinfo]

action_script status enable

if {[catch {cli_exec $cli_fd(fd) "enable"} result]} {error $result $errorInfo}

if {[catch {cli_exec $cli_fd(fd) "int fa0/1"} result]} {error $result $errorInfo}

if {[catch {cli_exec $cli_fd(fd) "shut"} result]} {error $result $errorInfo}

action_syslog msg "New Port is up now"

if {[catch {cli_close $cli_fd(fd) $cli_fd(tty_id)} result]} {error $result $errorInfo}

********************************************** TEST.tcl *******************************************

Can anybody tell me how can I use this script in Router which will be use when ever my interface fa0/0 up it will make fa0/1 in shutdown mode?

Can you provide me the steps to do in router?

Whar are the pre-requisite for the use of this?

Regards

Joe Clarke · ‎05-14-2013

Virtually any command, yes. You cannot do '?' like you can from an interactive session, but you can execute all EXEC and config commands otherwise.

View solution in original post

Joe Clarke · ‎05-09-2013

You don't need a Tcl script for this. You can use this applet instead:

event manager applet intf-shut

event syslog pattern "Interface FastEthernet0/0, changed state to up"

action 1.0 cli command "enable"

action 2.0 cli command "config t"

action 3.0 cli command "int fa0/1"

action 4.0 cli command "shut"

action 5.0 cli command "end"

Dipesh Patel · ‎05-09-2013

Dear Joseph,

Yes, I agree but I wan to understand how to use tcl script. It's just an example.

Can you give the steps for executing EEM TCL script?

Regards

Joe Clarke · ‎05-10-2013

Your Tcl policy is wrong to begin with. You would first need to open the CLI session. However, assuming you have a working policy, copy it to a location on the device's local flash (I like flash:/policies). Then register that location with the EEM server:

event manager directory user policy flash:/policies

Finally, register your EEM Tcl policy:

event manager policy TEST.tcl

That's it. Now, when the syslog message is generated, your policy will be triggered.

Dipesh Patel · ‎05-14-2013

Hi,

In EEM APPLET, We can execute any CLI cmds?

Regards

Joe Clarke · ‎05-14-2013

Virtually any command, yes. You cannot do '?' like you can from an interactive session, but you can execute all EXEC and config commands otherwise.

Dipesh Patel · ‎05-19-2013

Dear Joseph,

Please verify my script , is it ok? Will it work? Plrease suggest.

Purpose : Track the 2nd wan link, if it will be down than the sown ACL will be applied on Interface and if link up again ACL will be removed.

ip sla 11
icmp-echo 10.254.251.2
frequency 50
ip sla schedule 11 life forever start-time now
!
ip access-list extended BLOCK
remark "Non-Critical Traffic"
deny ip any host 172.24.33.187
deny ip host 172.24.33.187 any
deny ip any host 172.24.33.132
deny ip host 172.24.33.132 any
deny ip any host 172.24.101.137
deny ip host 172.24.101.137 any
permit ip any any

::cisco::eem::event_register_syslog pattern {ip sla 11 reachability Up->Down}

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

array set arr_einfo [event_reqinfo]

if [catch {cli_open} result] {
error $result $errorInfo
} else {
array set cli1 $result
}

if [catch {cli_exec $cli1(fd) "enable"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "configure term"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "interface g0/1"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "ip access-group BLOCK out"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "ip access-group BLOCK in"} _cli_result] {
error $_cli_result $errorInfo
}

action_syslog msg "blocking non-critical traffic"

::cisco::eem::event_register_syslog pattern {ip sla 11 reachability Down->Up}

if [catch {cli_exec $cli1(fd) "enable"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "configure term"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "interface g0/1"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "no ip access-group BLOCK out"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "no ip access-group BLOCK in"} _cli_result] {
error $_cli_result $errorInfo
}

action_syslog msg "Allowing non-critical traffic"

# Close open cli before exit.
catch {cli_close $cli1(fd) $cli1(tty_id)} result

Joe Clarke · ‎05-19-2013

You appear to have combined two policies into one, which will not work. You need to separate these two out at the event detector lines and put them into two .tcl files. You will then need to add the missing CLI close and open events to both.

Dipesh Patel · ‎05-28-2013

Dear Clarke,

I have separate the policy in to two part and tried to run. i.e.

BLOCK.tcl

========

::cisco::eem::event_register_syslog pattern {ip sla 11 reachability Up->Down}

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

array set arr_einfo [event_reqinfo]

if [catch {cli_open} result] {
error $result $errorInfo
} else {
array set cli1 $result
}

if [catch {cli_exec $cli1(fd) "enable"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "configure term"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "interface fa0/0"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "ip access-group BLOCK out"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "ip access-group BLOCK in"} _cli_result] {
error $_cli_result $errorInfo
}

action_syslog msg "blocking non-critical traffic"

# Close open cli before exit.
catch {cli_close $cli1(fd) $cli1(tty_id)} result

Allow.tcl

=======

::cisco::eem::event_register_syslog pattern {ip sla 11 reachability Down->Up}

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

array set arr_einfo [event_reqinfo]

if [catch {cli_open} result] {
error $result $errorInfo
} else {
array set cli1 $result
}

if [catch {cli_exec $cli1(fd) "enable"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "configure term"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "interface fa0/0"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "no ip access-group BLOCK out"} _cli_result] {
error $_cli_result $errorInfo
}

if [catch {cli_exec $cli1(fd) "no ip access-group BLOCK in"} _cli_result] {
error $_cli_result $errorInfo
}

action_syslog msg "Allowing non-critical traffic"

# Close open cli before exit.
catch {cli_close $cli1(fd) $cli1(tty_id)} result

When I have run the olicy, the policy is working and action syslog is displayed but the the CLI CMD which i want to execute , are not applied on interface i.e. ip access-group BLOCK out and no ip access-group BLOCK out

We are using TACACS+ with the policy :

aaa new-model

!

aaa authentication login local_authen local

aaa authentication login RADIUS_AUTH group tacacs+

aaa authorization config-commands

aaa authorization exec RADIUS_AUTH group tacacs+ local if-authenticated

aaa authorization commands 0 default group tacacs+ local if-authenticated

aaa authorization commands 1 default group tacacs+ local if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

!

Pls suggest how can i resolve this issue? How can I execute the CLI cmds via TCL script?

Regards

Joe Clarke · ‎05-29-2013

Configure the following:

event manager session cli username USER

Where USER is a username authorized to run all of the CLI commands in your EEM applets (e.g., your username).

Dipesh Patel · ‎05-29-2013

I have tried the same but still not working.

Joe Clarke · ‎05-30-2013

Enable "debug event manager tcl cli", trigger one of your applets, then post the output.

Jason Garrett · ‎07-16-2013

Dipesh did were you able to get this to work with Joseph's recommendations?