Cisco provides a plethora of tools that can be used for maintenance and monitoring through the Command Line Interface (CLI), as well as through a Graphical User Interface (GUI) for devices running Cisco IOS software. In addition to these IOS-based tools, Cisco also provides additional standalone tools that can be used for network maintenance, monitoring, and troubleshooting. The following sections describe some of the Cisco maintenance and monitoring tools that you should be familiar with for the purposes of the TSHOOT certification exam.
Enhanced Embedded Event Manager
The EEM is part of the Cisco Embedded Automation Systems (EASy) toolkit which combines the following additional embedded management technologies with EEM:
- Cisco IP Service Level Agreements (IP SLAs)
- Expression MIB
- Network-Based Application Recognition (NBAR)
- Flexible NetFlow
- Enhanced Object Tracking
- Cisco IOS Shell (IOS.sh)
NOTE: Cisco IP SLAs will be described in detail later in this chapter. The Cisco Expression MIB is beyond the scope of the TSHOOT certification exam, as is Cisco IOS Shell (IOS.sh). These will not be described in any further detail in this chapter, or in the remainder of this guide. NBAR and NetFlow are both core components of the TSHOOT exam and these will be described in detail later in this chapter, and throughout this guide. And finally, EOT is described in detail in both the ROUTE and SWITCH guides. From a troubleshooting perspective, you do not have to know any additional information on Enhanced Object Tracking (EOT).
Cisco IOS Embedded Event Manager (EEM) is part of the maintenance and monitoring toolkit. EEM is a powerful and flexible subsystem that provides real-time network event detection and onboard automation. EEM also increases the intelligence of network devices, allowing them to act on and facilitate management actions for specific network events.
A series of event detector processes designed to monitor explicit operational aspects of routers or switches are built into Cisco IOS Software. These can be primed to look for a specific event, and when that event occurs, they can act as a trigger to start up a user-loaded script. These customizable scripts are programmed using either simple Command Line Interface commands or Tool Command Language (Tcl).
A common use for EEM is printing a message on the console following a certain action that has been performed on the router. For example, EEM can be configured such that when someone issues the clear counters, clear ip route * , or clear ip bgp * command, for example, on a device, a message is printed on the console requesting that the person update relevant network documentation on why this action was taken on the device.
In addition to this, EEM could also be used to print out a message requesting that the network documentation be changed or configurations be saved following changes to a device. These examples are simple examples of the capabilities of EEM, because EEM can be configured to perform actions such as send an email out advising of monitored events.
When using the CLI to configure EEM, you must first configure an EEM applet. The EEM applet is a simple form of policy that is defined within the CLI configuration using the event manager applet [name] global configuration command. After you have configured the EEM applet, the router then transitions to EEM applet configuration mode. This configuration mode supports three commands, which are the event, action, and set commands.
The event command is used to specify the event criteria which will trigger the EEM applet to run. For example, the event could be a Syslog message indicating that counters have been cleared on an interface or the issuing of certain CLI commands such as clear ip route *.
The action command is used to specify an action to perform when the EEM applet has been triggered. Multiple sequential action commands can be configured within the applet. For example, you can specify that the first action that will be taken after a user has exited configuration mode is that a message will be printed on the console and then the next action can issue a CLI command to save the configuration on the local device or to a TFTP server.
And finally, the set command is used to set the value of an EEM applet variable. Following the configuration, the show event manager policy registered command can then be used to display a list of registered applets.
The following configuration example shows how to configure a basic EEM applet using the CLI. This applet will be triggered when the Syslog pattern %SYS-5-CONFIG_I: is logged by the router. When triggered by this event, the applet will print a Syslog message that reads ‘Please update documentation’ followed by another message that reads ‘Please save the configuration’. This simple configuration is implemented on the router as follows:
| R1(config)#event manager applet CONFIGURATION-CHANGE-APPLET R1(config-applet)#event syslog pattern %SYS-5-CONFIG_I: R1(config-applet)#action 1.0 syslog msg “Please Update Network Documentation” R1(config-applet)#action 1.1 syslog msg “Please Save The Configuration” R1(config-applet)#exit |
As previously stated earlier in this section, after one or more applets have been configured, theshow event manager policy registered command is used to display a list of registered applets. Following is the output of this command following R1s EEM configuration:
| R1#show event manager policy registered No. Class Type Event Type Trap Time Registered Name 1 applet user syslog Off Sun Mar 3 02:41:18 2002 CONFIGURATION-CHANGE-APPLET pattern {%SYS-5-CONFIG_I:} action 1.0 syslog msg “Please Update Network Documentation” action 1.1 syslog msg “Please Save The Configuration” |
As a simple test, this configuration can be validated by entering and exiting configuration mode on the router as illustrated below:
| R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# R1(config)# R1(config)#end R1# R1# *Mar 3 02:46:50.493: %SYS-5-CONFIG_I: Configured from console by console *Mar 3 02:46:50.501: %HA_EM-6-LOG: CONFIGURATION-CHANGE-APPLET: Please Update Network Documentation *Mar 3 02:46:50.505: %HA_EM-6-LOG: CONFIGURATION-CHANGE-APPLET: Please Save The Configuration |
The same EEM applet would also be executed for changes made remotely, e.g. via a Telnet session as illustrated in the following output:
| R2#telnet 10.0.0.1 Trying 10.0.0.1 … Open
User Access Verification Username: netadmin *Mar 3 02:52:23.651: %HA_EM-6-LOG: CONFIGURATION-CHANGE-APPLET: Please Save The Configuration |
NOTE: The terminal monitor command must be issued if you want to see log messages on the screen when you remotely access a device. Otherwise, you must use the show loggingcommand to view the messages in the router or switch logs.
As a final example, the following configuration illustrates how to configure multiple EEM applets to log and print messages when the clear counters or clear ip bgp * commands are issued. When the clear counter command is issued, the message ‘Please advise Network Operations why the interfaces counters were cleared by sending an email to netops@howtonetwork.net. Thank you!’ When the command clear ip bgp * is issued, the message ‘This operation is NOT allowed! Please contact netops@howtonetwork.net for permission to perform this operation. Thank you!’ is printed and the command is rejected.
| R1(config)#event manager applet CLEAR-INTERFACE-COUNTERS-APPLET R1(config-applet)#event cli pattern “clear counters.*” sync no skip no R1(config-applet)#$ sending an email to netops@howtonetwork.net. Thank you!” R1(config-applet)#exit R1(config)#event manager applet CLEAR-IP-BGP-APPLET R1(config-applet)#event cli pattern “clear ip bgp.*” sync no skip yes R1(config-applet)#$ for permission to perform this operation. Thank you!” R1(config-applet)#exit |
This configuration can be validated using the show event manager policy registeredcommand as was also illustrated in the previous example. Following is the output of this command after the EEM configuration on R1:
| R1#show event manager policy registered No. Class Type Event Type Trap Time Registered Name 1 applet user cli Off Sun Mar 3 03:16:54 2002 CLEAR-INTERFACE-COUNTERS-APPLET pattern {clear counters.*} sync no skip no action A syslog msg “‘Please advise Network Operations why the interface counters were cleared by sending an email to netops@howtonetwork.net. Thank you!” 2 applet user cli Off Sun Mar 3 03:15:53 2002 CLEAR-IP-BGP-APPLET |
NOTE: The sync keyword is used to determine whether CLI and EEM policy execution will either be synchronous (at the same time) or asynchronous (one after the other). The skip keyword is used to specify whether or not the command will be executed or run. Going into these advanced options is beyond the scope of the TSHOOT exam; however, they have been included in this section to further demonstrate the capabilities of EEM.
The EEM configuration on R1 can be tested by issuing the clear counters command on the router and then the clear ip bgp * command as follows:
| R1#clear counters Clear “show interface” counters on all interfaces [confirm] R1# *Mar 3 03:39:18.317: %HA_EM-6-LOG: CLEAR-INTERFACE-COUNTERS-APPLET: Please advise Network Operations why the interfaces counters were cleared by sending an email to netops@howtonetwork.net. Thank you! *Mar 3 03:39:19.191: %CLEAR-5-COUNTERS: Clear counter on all interfaces by netadmin on vty0 (10.0.0.2) |
With the execution of the clear ip route * command, the EEM applet prints the stated message and allows the command to be executed. When the clear ip bgp * command is issued, the EEM applet again prints the stated message but this time does not allow the command to be executed. Such configurations ensure that only people authorized to make changes to reset neighbor relationships, etc, are allowed to do so, and do so only when the proper controls and notifications are in order.
NOTE: You are not required to implement any Cisco IOS EEM configurations in the current TSHOOT exam; however, you should be familiar with the basic EEM configuration logic.