Documente Academic
Documente Profesional
Documente Cultură
Manager
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Destination Check
This session is not
an introduction to NMS concepts
engineering internals of SNMP
a session on programming or scripting
(although we do assume some understanding of basic
programming/scripting any knowledge of Tcl and XML will be
advantageous)
This session is
a technical session about a really cool embedded
instrumentation built into Cisco devices
full of examples and sample scripts to help you understand
the power of these features
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Agenda
Introduction
Embedded Event Manager
Practical Applications
Summary and Conclusion
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Embedded Event Manager (EEM)
Overview
Service running in Cisco IOS
Provides the opportunity to do self-monitoring reduce or eliminate polling
Let the network elements monitor themselves and send the right fault management events
when there is a problem
Allows us to watch for specific events and then take specific actions when
those events occur
Actions can be relatively simple or complex
Advantages:
Ability to take corrective actions automatically when a problem is detected
Build custom automation right on the device
Can reduce dependence on external NMSs (or make them more powerful!)
Reduce network bandwidth by doing local event monitoring
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Embedded Instrumentation Model
vs. External View
Connectivity to external systems may not always Si
Si Si
Si Si
Si
be available or reliable
Internal scripts are distributed and localized: SiSi SiSi
Policies
Actions to take
(Tcl script or applet)
EEM Server
brains of the system
Event Detectors
Watch for events of interest
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
EEM Event Detectors and EEM Policies
All of this is internal to Cisco IOS
Think of a policy
as an action ED notifies EEM
registered to an Server; which
event triggers interested
policies
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
So what Can I Do with EEM?
Simple Example:
Write a syslog message when CPU utilization goes above 80%
An Implementation (there are others):
Determine the SNMP OID to monitor
Configure an EEM applet in IOS CLI
Define the SNMP event detector with the appropriate threshold
Define the syslog action to generate a syslog message
Optional: include the actual value of the OID when event detected
Result:
SNMP Event Detector will continually monitor the SNMP OID configured and
when the utilization crosses 80%, a syslog message will be generated
We now have proactive monitoring on the box!
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
EEM 1.0 Event Detectors
SNMP
Monitors a MIB object and generates an event when threshold crossed
Syslog
Matches a syslog message based on a regular expression match
Available options, an event is raised when:
1 message is detected, or
n messages are detected, or
n messages are detected within a specific period of time
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
EEM 2.0 Event Detectors
Application-specific
Allows IOS applications or EEM policies to define and publish
application specific events
Counter
Provides persistent EEM counters that can be set by policies
A policy can be triggered when a specific counter crosses a threshold
A way for policies to communicate and trigger other policies. Example:
Policy A increments an EEM counter when it runs. Policy B is triggered
when the EEM counter crosses a threshold
Interface Counter
Generates an event when a specific IDB port generic statistics counter
crosses a threshold, up or down.
Provides an easier way to track interface statistics than through the
SNMP Event Detector
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
EEM 2.0 Event Detectors (Cont.)
Timer
Generates an event at an absolute time (absolute).
Generates an event after a specific period (countdown).
Generates a recurring event (watchdog - a countdown timer that
is automatically re-armed at the event).
Generates an event using a Unix CRON specification (cron -
Similar to Unix cron job
Watchdog
Triggers policies based on certain conditions relative to a
certain Cisco IOS process or subsystems activity
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
EEM 2.1 Event Detectors
CLI
Screens CLI commands for a regular expression pattern match.
Publishes an event upon a valid match after the command is
successfully parsed and before it is executed.
Can be used to augment or replace a command.
None
Used as a placeholder for policies that are manually triggered
via the event manager run <policyname> command
Online Insertion and Removal (OIR)
Publishes events when one of the following hardware
insertion/removal events occurs:
When a card is removed
When a card is inserted
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
EEM 2.1.5 Event Detectors
System Manager
Generates events for IOS Modularity process start,
normal/abnormal stop, and restart events.
Allows the policy to change the default behavior of process
restart
Watchdog
Generates events when IOS Software Modularity Watchdog
System Monitor (WDSYSMON) detects infinite loops,
deadlocks, and memory leaks in Cisco IOS Software Modularity
processes
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
EEM 2.2 Event Detectors
Redundancy Framework
Generates events for all RF (Redundancy Framework)
notifications and state transitions
Resource
Interfaces with the IOS Embedded Resource Manager (ERM)
sub-system.
Shared resource threshold notifications both in the up and down
direction.
Resources to monitor:
Memory
CPU
IPC
Buffers
File System
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
EEM 2.2 Event Detectors (Cont.)
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
Embedded Event Manager Versions
IOS EEM 1.0 IOS EEM 2.3
Small footprint Single Source
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
Security Of The Embedded Event
Manager
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
EEM Policies
An EEM policy is self-contained:
Contains execution criteria
Contains actions
Policies are viewed as short-lived (default elapsed run
time is 20 seconds)
Two Engines:
CLI Based (Applet Interface)
Script Based (Tcl)
Two Policy Types:
Synchronous policy can affect the outcome of the event
Asynchronous policy runs asynchronously with the event
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
EEM Built-In Actions
An Embedded Event Manager Policy can:
Execute an IOS CLI command and receive the result
Send a CNS event
Increment or decrement an EEM counter
Force a switchover to the standby in a redundant configuration
Request system information
Send an e-mail
Cause another EEM policy to be executed
Publish an application specific EEM event
Reload the box
Send an SNMP trap with custom data
Log a message to Syslog
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
EEM Environment Variables
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Some Environment Variables
Environment Variables Available for All Events
$_event_type The event type that triggered the event.
$_event_pub_time The time at which the event type was published.
Environment Variables Available for SNMP Events
$_snmp_oid The Simple Network Management Protocol (SNMP) object ID that caused the event to be published.
$_snmp_oid_val The SNMP object ID value when the event was published.
Environment Variables Available for Syslog Events
$_syslog_msg The syslog message that caused the event to be published.
Define applet
named
CFGMSG
Event type
will be
syslog
iin-rtr1(config-applet)#event syslog
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
Syslog REGEXP Match Pattern
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Add the ActionSyslog Action
Label - used to
sort actions
Alphabetic sort
on the label
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
Complete Applet Policy Definition
event manager applet CFGMSG
event syslog pattern "{%SYS-5-CONFIG_I:}"
action 1.0 syslog priority warnings msg
"Configuration event occurred"
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Tcl Policies or Scripts
Tcl Policies can do everything that applets can, and more!
Standard Tcl 8.3.4 script support
Tcl Manual available at http://www.tcl.tk/man/tcl8.3/
This is the same support available in IOS for tclsh, ESM (Embedded Syslog
Manager), and IVR
There are several Tcl language extension dialects and some differences among
them
More details and examples on Tcl and tclsh available in the Appendix
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
EEM Tcl Policy Structure
Begin with EEM Event
Register keyword
Required Next is any input
variables or required
environment variables
to control the script
Names space imports
Required
Entry criteria for the
policy
Body (logic of the
Required
script)
Exit status
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
Example of Tcl Policy Structure
Registration command
(Tcl extension)
Tcl namespace
(namespace import)
::cisco::eem
This namespace includes
all Tcl commands closely
related to Embedded Event
Manager
::cisco::lib
This namespace includes
auxiliary library commands
that are not necessarily
specific to the Embedded
Event Manager
Body
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Getting Started:
Create Policy Directory
ashcroft#mkdir ABCCoTclPol
Create directory filename [ABCCoTclPol]?
Created dir disk0:ABCCoTclPol
ashcroft#dir
Directory of disk0:/
1 drw- 1 Oct 26 2003 13:37:42 +00:00 sys
6 drw- 1 Oct 30 2003 12:56:04 +00:00 ABCCoTclPol
47843328 bytes total (29356032 bytes free)
ashcroft#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ashcroft(config)#event manager directory user policy disk0:/ABCCoTclPol
ashcroft(config)#^Z
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Getting Started:
Copy Tcl Policy to Router
ashcroft#dir
Directory of disk0:/
1 drw- 1 Oct 26 2003 13:37:42 +00:00 sys
6 drw- 1 Oct 30 2003 12:56:04 +00:00 ABCCoTclPol
47843328 bytes total (29351936 bytes free)
ashcroft#cd ABCCoTclPol
ashcroft#dir
Directory of disk0:/ABCCoTclPol/
8 -rw- 1232 Oct 30 2003 14:14:58 +00:00 sl_cfgSaveRemT.tcl
47843328 bytes total (29351936 bytes free)
ashcroft#
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
Getting Started:
Register the Policy
ashcroft#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ashcroft(config)#event manager policy sl_cfgSaveRemT.tcl type user
ashcroft(config)#
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
Some Other Ideas for Using EEM
Every few days you lose all OSPF neighbors
EEM script could be triggered on the OSPF messages in SYSLOG, capture the information,
save it to flash and reload the router (if it doesnt correct itself)
Every few weeks a router is running low on memory around 2am
EEM script could be triggered based on the memory utilization, capture the memory
information and send the output with Syslog
One of the (redundant) links has problems with occasional high error
rates, but does not go down
EEM script could be triggered on the interface errors, remove the link from using it and send
a notification by SNMP or Syslog or email
You need to automatically update a ACL every night at 2am
EEM script could be triggered by cron timer, grab new version of ACL from a web server
and apply it (and send a confirmation by syslog/email/snmp)
One of the BGP peers sometimes drops with hold timeout, but
recovers within seconds. How do you troubleshoot?
EEM script could be triggered by Syslog message and verify connectivity to other BGP peer
with a ping at the time of the problem and possible look at the interface status and save a
traceroute output to the other BGP peer
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
EEM Security
Cisco scripts run in full Tcl mode
User scripts run in Safe-Tcl mode
Allows Cisco to disable/customize specific Tcl commands
Provides restrictions to ensure system integrity
Built-in throttle that periodically suspends execution
User scripting disabled by disallowing command:
event manager directory user
All config commands are privileged global config mode
To control the user that runs an EEM policy, use:
event manager session cli username <username>
username sent to TACACS+ for command authorization
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
Embedded Event Manager (EEM)
Debugging and Show Commands
Debug commands
debug event manager tcl cli_lib
debug event manager tcl commands
debug event manager tcl smtp_library
Show commands
show event manager policy available
show event manager directory user policy
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
EEM Version Comparison
EEM Version 1.0 2.0 2.1 2.1.5 2.2
12.3(14)T1,
12.2(18)SXF4
12.3(4)T, 12.2(28)SBC, 12.4(2)T,
IOS Version Introduced 12.0(26)S
12.2(27)SBC
12.2(18)SXF5,
(IOS with
12.2(33)SRB1
modularity)
12.2(33)SRA
Syslog, SNMP EDs X X X X X
Syslog, SNMP Actions X X X X X
Watchdog, Counter,
Interface Counter,
X X X X
Timer, Application-Specific
EDs
Counter Modification,
System Info, X X X X
Email Actions
OIR, CLI EDs X X X
User and System Tcl
X X X
Policies
GOLD, System Manager,
X X
WDSysMon EDs
Resource, RF, EOT EDs X
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
EEM Today and Tomorrow
2.3
Latest release available on 12.4(11)T
No new features added
Single source code used across products
2.4
Coming soon
Multiple event support
Allows event correlation where multiple events can trigger a policy
SNMP Proxy ED
Allows device to receive an SNMP trap/inform and execute a policy
Policy has access to varbind info in the trap
RPC ED
Allows external entity to send a SOAP message over SSHv2 to
invoke a policy and return the result to the external entity
And more!
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
CISCO IOS EMBEDDED EVENT MANAGER
EEM VERSION - PRODUCT MATRIX
6/8/07 4:39 PM
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
Embedded Event Manager (EEM)
Additional References
EEM Starting Point:
http://www.cisco.com/go/eem
EEM Overview:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios12
2/122newft/122limit/122sx/122sxf18/evnt_mgr/nmb_eemo.htm
Writing EEM Policies Using IOS CLI:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios12
2/122newft/122limit/122sx/122sxf18/evnt_mgr/nmb_eemc.htm
Writing EEM Policies Using Tcl:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios12
2/122newft/122limit/122sx/122sxf18/evnt_mgr/nmb_eemt.htm
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
Cisco BeyondProduct Extension Community
EEM Scripting Community
New on Cisco.com
Open source
scripts, share,
upload, download,
learn by example
Categories include:
Ntwk mgmt, routing,
QoS, High
availability, User
interface, etc
Comments, ratings,
community
managed forum
http://cisco.com/go/ciscobeyond
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
Example 1
Using EEM to Collect Interface Error History
Requirement:
Collect interface errors regularly and append output to a file on flash
CLI command to use
remote-pe#sh int fa2/0 | inc errors
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 output errors, 0 collisions, 3 interface resets
Solution:
Write a Tcl policy that:
Uses Timer Event Detector watchdog timer will provide a recurring
event
Appends a timestamp and command output to a history file
Uses the following environment variables as parameters:
Run Period (time between successive samples)
Output Filename
Interface (to run show command on)
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
The Tcl Policy
Watchdog Timer ED called errimt that
runs every $errim_period seconds
Cisco Beyond
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
The Tcl Policy (Cont.)
# Check for required environment variables
# If any required vars are not available, print error and quit
#
if {![info exists errim_period]} {
set result "EEM Policy Error: variable errim_period has not been set"
error $result $errorInfo
}
if {![info exists errim_outfile]} {
set result "EEM Policy Error: variable errim_outfile has not been set"
error $result $errorInfo
}
if {![info exists errim_int]} {
set result "EEM Policy Error: variable errim_int has not been set"
error $result $errorInfo
}
#
# namespace imports Check that mandatory variables have been set
#
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
#
Import namespaces to include EEM
and auxiliary Tcl commands
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46
The Tcl Policy (Cont.)
Opens a channel and returns the
channel handler, fd and tty_id
# issue the cli command
#
if [catch {cli_open} result] {
error $result $errorInfo
} else {
array set cli1 $result Execute CLI command using channel
} handler, fd returned by cli_open
# save exact execution time for command
set time_now [clock seconds]
# execute command
if [catch {cli_exec $cli1(fd) "show int $errim_int | inc errors"} result] {
error $result $errorInfo
}
set cmd_output $result Save the command output
#
if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
error $result $errorInfo
}
# Close the channel using channel handler,
action_syslog msg "errim command executed" fd and tty_id returned by cli_open
#
#
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47
The Tcl Policy (Cont.)
# prepare to write line to the history file Open the output file for appending
# and return a file descriptor
if [catch {open $errim_outfile a+} result] {
error $result
} Set the fileD to the file descriptor
set fileD $result
#
# save timestamp of command execution
# (Format = 00:53:44 PDT Mon May 02 2005)
set time_now [clock format $time_now -format "%T %Z %a %b %d %Y"]
puts $fileD "%%% $time_now, errin executed"
#
# Write command output
# Write the timestamp
puts $fileD $cmd_output
#
close $fileD Write the command output
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48
Configuration Required
Set the environment variables
remote-pe#
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51
Q and A
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52
Recommended Reading
BRKNMS-3021
Available at www.CiscoPress.com
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53
Recommended Reading
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55
Appendix
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
Tool Command
Language (Tcl)
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57
Tool Command Language (Tcl)
Overview
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58
Tool Command Language (Tcl)
Features
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59
Tool Command Language (Tcl)
Uses within Cisco IOS
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 60
Tool Command Language (Tcl)
Starting the Interpreter
Router#tclsh
Router(tcl)#
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 61
Tool Command Language (Tcl)
Configuration
Router(config)#scripting tcl ?
encdir Specify path for Tcl character encoding files
init Specify path for Tcl initialization script
low-memory Configure low water memory mark
The encdir and init values can be any Cisco IOS URI
(e.g. disk:, slot:, tftp:, etc.)
Use the low-memory command to avoid crashes due
to memory allocation (do not go less than 10% of total
available memory)
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 62
Tool Command Language (Tcl)
Configuration (Cont.)
Interactive Shell
Tcl Cisco IOS
Extended Commands
Tcl Built In Command
Cisco IOS Command
Router#tclsh
Router(tcl)#puts "Hello Networkers"
Hello Networkers
Router(tcl)#exit
Router#
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 63
Tool Command Language (Tcl)
Configuration (Cont.)
Running Cisco IOS Commands
Tcl Cisco IOS
Extended Commands
Tcl Built In Command
Cisco IOS Command
Router(tcl)#set output [exec "show interface fa0/0 description"]
Interface Status Protocol Description
Fa0/0 up up FlashNet
Management Connection
Router(tcl)#log_user 0
0
Router(tcl)#set output [exec "show interface fa0/0 description"]
Router(tcl)#puts $output
Interface Status Protocol Description
Fa0/0 up up FlashNet
Management Connection
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 64
Tool Command Language (Tcl)
Configuration (Cont.)
Tcl and CLI Configuration Commands
Tcl Cisco IOS
Extended Commands
Tcl Built In Command
Cisco IOS Command
Router(tcl)#ios_config "interface fa0/0" "description Networkers
Uplink"
Router(tcl)#puts $output
Interface Status Protocol
Description
Fa0/0 up up Networkers
Uplink
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 65
Tool Command Language (Tcl)
Configuration (Cont.)
Writing to the Input Buffer
Tcl Cisco IOS
Extended Commands
Tcl Built In Command
Cisco IOS Command
Router(tcl)#show run
Building configuration...
Current configuration : 8245 bytes
!
! Last configuration change at 22:05:49 CET Sat Mar 10 2005
!
version 12.0
no service pad
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 66
Tool Command Language (Tcl)
Configuration (Cont.)
Capturing Cisco IOS Errors
Tcl Cisco IOS
Extended Commands
Tcl Built In Command
Cisco IOS Command
Router(tcl)#set line "snmp server community RO"
Router(tcl)#if {[catch {ios_config $line} result]} {
+>puts "Bad config command: \"$line\""
+>}
Bad config command: "snmp server community RO"
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 67
Tool Command Language (Tcl)
Configuration (Cont.)
Loading External Scripts
Tcl Cisco IOS
Extended Commands
Tcl Built In Command
Cisco IOS Command
Router(tcl)#source slot0:myscript.tcl
Router(tcl)#source tftp://10.10.10.10/myscript.tcl
Router#tclsh tftp://10.10.10.10/myscript.tcl
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 68
Tool Command Language (Tcl)
SNMP Support
Requires an SNMP community to be configured
on the router
Provides easy access to SNMP objects and commands
snmp_getbulkretrieves a large section of the MIB tree
snmp_getidretrieves the system table
snmp_getnextretrieves the next object in the MIB tree
snmp_getoneretrieves one object in the MIB tree
snmp_setanysets an object in the MIB tree
Data is returned in an XML format
First introduced in 12.3(7)T
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 69
Tool Command Language (Tcl)
SNMP Example
Tcl Cisco IOS
Extended Commands
Tcl Built In Command
Cisco IOS Command
Router(tcl)#snmp_getid public
{<obj oid='system.1.0' val='Cisco IOS Software, 7200 Software
(C7200-JS-M), Version 12.3(14)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Fri 25-Mar-05 14:01 by yiyan'/>}
{<obj oid='system.2.0' val='products.108'/>}
{<obj oid='sysUpTime.0' val='71184284'/>}
{<obj oid='system.4.0' val=Dan Jerome'/>}
{<obj oid='system.5.0' val=dj.cisco.com'/>}
{<obj oid='system.6.0' val=Networkers 2005'/>}
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 70
Tool Command Language (Tcl)
Limitations
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 71
Tool Command Language (Tcl)
Script Debugging
Use a UNIX or Windows Tcl 8.3 interpreter
to sanity check code
Make sure log_user is set to 1 to get all
possible errors
Use Control+Shift+6 to interrupt a runaway script
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 72
Tool Command Language (Tcl)
Caveats
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 73
Tool Command Language (Tcl)
Security Concerns
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 75
Other Examples
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 76
Tcl Access-List Editor
The Code
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 77
Tcl Access-List Editor
The Code (Cont.)
return $i
}
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 78
Tcl Access-List Editor
The Code (Cont.)
puts -nonewline "Insert before which line number ($aclend to append): "
flush stdout
gets stdin choice
puts -nonewline "Enter body of ACL rule to insert (without the access-list
$acl portion): "
flush stdout Insert a New ACL Entry
gets stdin body
Within the Existing ACL
regsub -nocase {^access-list\s[^\s]+\s} $body "" body
Delete a Specific
ACL Entry
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 80
Tcl Access-List Editor
The Code (Cont.)
proc commit_acl { acl acllist orig_acllist } { Check for Errors to Ensure We Do
ios_config "no access-list $acl"
Not Leave the Router Unprotected
foreach line $acllist {
if { [catch { ios_config $line } result] } {
puts "Error committing access-list entry \"$line\" ($result)"
puts "Re-adding the original access-list..."
ios_config "no access-list $acl"
foreach origline $orig_acllist {
if { [catch { ios_config $origline } result] } {
puts "DANGER! Error committing original
access-list entry \"$origline\" ($result)"
puts "Investigate this immediately!"
return
}
}
return
}
}
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 81
Tcl Access-List Editor
The Code (Cont.)
while { $done == 0 } {
puts "Access-list Editor"
puts "------------------\n" Present the Access-List; Edit
puts "1. View access-list $aclno" Options to the User in a Menu
puts "2. Add access-list entry"
puts "3. Remove access-list entry"
puts "4. Quit and save changes"
puts "5. Quit without saving changes"
puts ""
puts -nonewline "Enter option: ";
flush stdout
switch $choice {
1 { view_acl $acllist }
2 { set acllist [add_acl $aclno $acllist] }
3 { set acllist [delete_acl $aclno $acllist] }
4 {
set done 1
set save 1
}
5 {
set done 1
NMS-3301 set save 0
BRKNMS-3021
11152_05_2005_c2
13717_05_2007_c1 2005
2007 Cisco Systems, Cisco
Inc. Systems,
All rights Inc. All rights
reserved. Ciscoreserved.
Confidential 82
82
Tcl SNMP Security Fix Script
The Code
Determine the High UDP Port Dynamically by
Inspecting the Output of Show ip Sockets
proc snmp_fix { } {
snmp_unfix
set sockets [exec "show ip sockets"]
set socket 0
foreach line [split $sockets "\n"] {
set line [string trim $line]
if {[regexp {^17\s+--listen--} $line] || [regexp {^17 0\.0\.0\.0}
$line]} {
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 83
Tcl SNMP Security Fix Script
The Code (Cont.)
if {$socket > 0} {
set myacl [find_acl 100 200]
if {$myacl == 0} { Find a free IP ACL, then
set myacl [find_acl 2000 2700]
apply the necessary
}
control plane policing
if {$myacl == 0} {
puts "Failed to find a free access-list." configuration changes
return
}
ios_config "class-map match-all matchsnmp" "match access-group $myacl"
ios_config "policy-map dropsnmp" "class matchsnmp" "drop"
ios_config "access-list $myacl permit udp any any eq 162"
ios_config "access-list $myacl permit udp any any eq $socket"
ios_config "access-list $myacl deny ip any any"
ios_config "control-plane" "service-policy input dropsnmp"
puts "SNMP control plane access now denied to ports 162 and $socket"
puts "using access-list $myacl. Use ``snmp_unfix'' to remove this"
puts "configuration."
} else {
puts "Failed to find a listening socket for SNMP."
}
}
BRKNMS-3021
13717_05_2007_c1 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 84