03-25-2015 03:10 AM
Hello,
Trying to config time based policing for a customer, seems like there is no time-based ACL support in XR.
So trying through EEM. Below is the config,
event manager environment cron_entry 0 10-18 * * *
event manager directory user policy harddisk:
aaa authorization eventmanager default local
=======================================================================
::cisco::eem::event_register_timer cron tacl cron_entry "0 10-18 * * *"
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if {[catch {cli_open} result]} {
action_syslog priority info msg "CLI Open Failed: $result"
exit
}
set t_acl "class-map test match access-group T_ACL
police 512000 !"
array set cli1 $result
action_syslog priority info msg "Starting ACl script"
cli_exec $cli1(fd) "conf t
interface gi0/0/1/1
service-policy input $t_acl
commit"
action_syslog priority info msg "ACl ScriptEnd "
if {[catch {cli_close $cli1(fd) $cli1(tty_id)} result]} {
action_syslog priority info msg $result
}
=========================================================================
When we activate the policy the config is failing,
event manager policy tacl.tcl username cisco persist-time 3600 type user
Error:
!!% Embedded Event Manager configuration: failed to retrieve intermediate registration result for policy tacl.tcl
Is there any config issue in here?
Thanks in advance...
04-03-2015 10:48 AM
I dont think this script will work in terms of the cli actions it sends.
you probably want to apply a service policy to the interface regardless and based on time
like this:
policy-map WHATEVER
class LOWQOS
police rate percent X
class default
police rate percent Y
Then in these LOWQOS class definition define the ACL that needs to match this class,
eg permit ip any any to match any traffic in that class, vs the other time when you do a very specific permit say udp source port 1 or so (which never happens) so that all traffic matches the default on that ACL change of the class-map
when the script invokes change the class-map acl definition.
eyeballing the event trigger, I think I see a typo there I think.
look at the eem doc on the support forums to get some samples and ways to set it up.
cheers
xander
08-03-2015 07:44 AM
Hi Xander,
Thanks for pointing out the changes required.
The below is the configured script,
08-03-2015 10:02 AM
you could either remove the policy and apply a new one
or you can edit the existing policy to reflect the rate you want.
in the first case you need to do a :
no serivce policy <whatever what was there>
commit
service policy <new one>
or in the second example you could
policy-map tacl
class <class>
police rate <desired rate>
xander
08-04-2015 12:25 AM
Hi Xander,
I would go with first option but is that the removal of the policy-map can be made using the same script or needs another separate script?
Can you please explain the timing parameters in the below command:
::cisco::eem::event_register_timer cron name tacl cron_entry "0 10-18 * * *"
Warm Regards
08-04-2015 03:07 AM
you could try to apply the solution explained in:
https://supportforums.cisco.com/document/12564786/bng-scripted-timed-based-acls-alternative-coa
"0 10-18 * * *" means every hour from 10:00 to 18:00.
/Aleksandar
08-04-2015 05:10 AM
Hi Alexander,
can u pls explain all 5 timing parameters in detail?
Warm Regards
08-04-2015 06:00 AM
if you google "cron entry" you'll get plenty of hits. Wikipedia has a nice entry on that. In our (Cisco) EEM/Tcl implementation we are not altering the standard cron implementation.
hth,
Aleksandar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide