Advanced Cisco IOS Device Instrumentation · Advanced Cisco IOS Device Instrumentation ... •...
Transcript of Advanced Cisco IOS Device Instrumentation · Advanced Cisco IOS Device Instrumentation ... •...
Advanced Cisco IOS Device Instrumentation
Chris Kodadek, Solution Architect
BRKNMS-3021
Session Abstract
• This advanced session covers some of the embedded management technologies in recent versions of Cisco IOS Software. Attendees are shown how the Embedded Event Manager combined with Tcl scripts can automate the ability of Cisco devices to respond to events detected on the device. The session demonstrates ways to suppress excess log messages and use alternate forms of message delivery using the Embedded Syslog Manager with Tcl. Attendees learn analysis of network traffic using the Embedded Packet Capture feature, the use of Configuration Locking and Rollback for safe recovery from errors or misconfigurations, performing bulk management, and exploring network programmability with onePK. Examples are shown for each technology, as well as ways to combine multiple automation solutions to reduce OPEX and extend the capabilities of IOS.
• This advanced course is for network engineers who are comfortable with Cisco IOS and have some understanding of Tcl programming. Experience with other network management functions such as SNMP and Syslog is also recommended.
Headquarters
Mobile Users
Remote Sites
Mobile Users
Telecommuters
Branch Sites
Partners/Customers
Internet
Extranet
IPSec
Tunnels
Metro
Ethernet
Broadband /
VPN
MPLS
Internet
Home Office
Got Tools?
Cisco IOS Automation Uses
User Experience
Configuration / Provisioning
Performance Analysis
Monitoring & Troubleshoo
tingDiagnostics
Auditing & Security
Capacity Planning
Agenda
Introduction
Embedded Instrumentation Technologies
Real-World Examples
Key Takeaways
What is Instrumentation?
• Provides us (operators, administrators) and applications with a view into what the device is doing and how it is behaving
• Gives us an ability to touch the device
• Our ability to understand how the device is behaving is only as good as the underlying instrumentation
• Instrumentation provides us with the intelligence to respond to conditions on the device and take corrective action, if necessary
• It may even allow us to automate the response
Embedded Instrumentation Model vs. External View• Connectivity to external systems may
not always be available or reliable
• Internal scripts are distributed and localized:• Each router or switch in the network has its own
set of policies
• Information can be distilled and forwarded to external monitoring systems
• Problems can be handled locally
• Polling vs. event notification
• Policies are triggered without having to constantly poll
• No need to listen and filter error messages
• Instant reaction when a condition is detected
• No need to relay the information outside the system and wait for response
• Combining embedded instrumentation with external management tools createa powerful NMS solution!
SiSi SiSi
SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi
EEM
Interpret from
Outside
vs.
See from
Within
Agenda
Introduction
Embedded Instrumentation Technologies
Real-World Examples
Key Takeaways
Tool Command Language (Tcl)
Tool Command Language (Tcl)Automation Uses
Tool Command Language
(Tcl)
Configuration
User ExperienceMonitoring &
Troubleshooting
Tool Command Language (Tcl)
• Tcl is a multithreaded interpreted scripting language
• Language resources found at:
• http://www.tcl.tk/
• Tcl 7.x has been in Cisco IOS since 1994
• Tcl 8.3.4 first released in Cisco IOS in 12.3(2)T and merged into 12.2(25)S
Overview
Tool Command Language (Tcl)
• Support for scripts compiled with the TclPro byte code
• Support for Tcl namespaces
• Allows execution of exec commands and Cisco IOS configuration
• Support for cryptographic signing of scripts
Features
Tool Command Language (Tcl)
• Build custom show commands
• Access SNMP objects
• Open TCP and UDP sockets
• Integrate with the Embedded Syslog Manager, Embedded Event Manager, and the Embedded Menu Manager
• Build Interactive Voice Response (IVR) scripts
• Consolidate complex configuration commands
• Auto-configuration
Uses Within Cisco IOS
Tool Command Language (Tcl)Simplifying Tasks
Router#more flash:/ping_check.tcl
foreach host [list "172.18.123.33" "172.18.80.126"
"172.18.181.139"] {
set output [exec "ping $host repeat 1"]
if { ! [regexp {!} $output] } {
puts "Host $host is not reachable"
}
}
Router#tclsh flash:/ping_check.tcl
Host 172.18.80.126 is not reachable
Tcl Cisco IOSExtended Commands
Tcl Built-In Command
Cisco IOS Command
Tool Command Language (Tcl)
• You can execute tclsh scripts at boot time
• Add a “do” command directly into the startup configuration
NOTE: The tclsh script must NOT be interactive. It must run to completion without user input.
Auto-Configuration
Router#show start
. . .
!
do tclsh flash:/autoconfig.tcl
end
Tool Command Language (Tcl)
• Tcl scripts can open client and server TCP socketsBetter to leave server sockets for EEM where the script can detach from the VTY
• UDP socket support was added in 15.1(1)T
• Full example of a DNS client for IOS available at http://tools.cisco.com/squish/88203
Using Network Sockets
proc connect { server proto } {
if { $proto == "tcp" } {
if { [catch {set fd [socket $server 53]} result] } {
return -code error $result
}
fconfigure $fd -translation binary
} else {
if { [catch {set fd [udp_open]} result] } {
return -code error $result
}
fconfigure $fd -remote [list $server 53] -translation binary -buffering none
}
. . .
}
Tool Command Language (Tcl)
• Requires an SNMP community to be configured on the router
• Provides easy access to SNMP objects and commands
• snmp_getbulk—retrieves a large section of the MIB tree
• snmp_getid—retrieves the system table
• snmp_getnext—retrieves the next object in the MIB tree
• snmp_getone—retrieves one object in the MIB tree
• snmp_setany—sets an object in the MIB tree
• Data is returned in an XML format
• First introduced in 12.3(7)T
SNMP Support – 1/2
Router(tcl)#snmp_getid public
{<obj oid='system.1.0' val='Cisco IOS Software, 7200 Software (C7200-JS-
M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Mar-05 14:01 by yiyan'/>}
{<obj oid='system.2.0' val='products.108'/>}
{<obj oid='sysUpTime.0' val='71184284'/>}
{<obj oid='system.4.0' val=’NMS Ops'/>}
{<obj oid='system.5.0' val='router.rtp.cisco.com'/>}
{<obj oid='system.6.0' val='Test POD'/>}
Router(tcl)#snmp_setany private system.6.0 -d ”Cisco Live San Diego"
{<obj oid='system.6.0' val='Cisco Live San Diego'/>}
Tool Command Language (Tcl)SNMP Support Example – 2/2
Tcl Cisco IOSExtended Commands
Tcl Built-In Command
Cisco IOS Command
Tool Command Language (Tcl)
• Add the capability to check for a digital signature to indicate trust/origin
• Unsigned Tcl scripts can be run in a safe Tcl mode, or not run at all
• A script can run within one of two modes:• Trusted Mode
• If Tcl script contains the right signature:
• It will be authenticated and will run with trusted access to Tcl interpreter
• Untrusted Mode
• If Tcl script does not contain the right signature:
• It will run in a limited mode for untrusted scripts or not run at all
Signed Tcl Scripts
Available from: Cisco IOS 12.4(15)T
Reference: http://tools.cisco.com/squish/634E1
Tool Command Language (Tcl)
• Load scripts from network servers with care
• Tclsh scripts require privilege level 15 access
• If possible, only run signed or trusted Tcl scripts
Security Concerns
Tool Command Language (Tcl)
• Use low-memory to prevent malloc failures
• Tcl process runs at medium (i.e., default) priority, so be careful with loops
• Use 15.x or higher code for best security
Caveats
Tool Command Language (Tcl)
• General language resources:• http://www.tcl.tk
• Cisco IOS scripting with Tcl:• http://tools.cisco.com/squish/39A40
• All examples from this presentation can be downloaded from:• http://www.marcuscom.com/BRKNMS-3021.zip
For YourReference
Embedded Event Manager (EEM)
Embedded Event Manager (EEM)Automation Uses
Embedded Event
Manager (EEM)
Configuration
User Experience
Monitoring & Troubleshooting
Capacity Planning
Auditing & Security
Embedded Event Manager (EEM)
• In-box monitoring of different components of the system via a set of software agents (Event Detectors)
• Event Detectors (ED) notify EEM when an event of interest occurs; based on this, an action can be taken
• Advantages: • Ability to take proactive actions based on configurable events
• Build automation directly into the device
• Reduce network bandwidth by doing local event monitoring
Overview
Embedded Event Manager (EEM)Architecture Overview
Cisco IOS Extremely flexible and powerful
subsystem within Cisco IOS Software
Adapt device behavior and insert custom logic without IOS upgrade
24 Event Detectors (ED) integrated with IOS modules for wide range of system event detection
CLI and Tcl based policy provides consistent programmability interface
Powerful event engine supporting multi-event correlation, advance scheduling and more
Embedded Event Manager (EEM)Event Detectors
EEM 1.0–SNMP ED
–Syslog ED
EEM 2.0–Application ED
–Interface ED
–Counter ED
–Timer ED
–Watchdog ED
EEM 2.1–CLI ED
–None ED
–Object Insertion Removal (OIR) ED
–GOLD ED
EEM 2.2–Embedded Object Tracking (EOT) ED
–Resource ED
–Redundancy framework ED
EEM 2.4–SNMP notification ED
–XML-RPC ED
EEM 3.0–Routing ED
–NetFlow ED
–IP SLA ED
EEM 3.1–SNMP Object ED
EEM 3.2–Neighbor Discovery ED
–Identity ED
–MAC Address (MAT) ED
EEM 4.0–File manipulation for applets
–More parameters passed to CLI ED
–Tighter resource control
Embedded Event Manager (EEM)
An Embedded Event Manager Policy Can:
• Execute a Cisco IOS CLI command and receive the result
• Send a CNS event
• Increment or decrement an EEM counter
• Force a switchover to the standby in a redundant configuration
• Request system information (e.g. SNMP info, crash data, etc.)
• Send an e-mail
• Cause another EEM policy to be executed
• Publish an application specific EEM event
• Reload the box
• Send a customized SNMP trap
• Reply to an SNMP GET/SET request
• Log a message to syslog
Actions
event manager applet lowmem-failover
event snmp oid 1.3.6.1.4.1.9.9.48.1.1.1.6.1 get-type exact entry-op lt entry-val 4194304 poll-interval 10
action 1.0 syslog priority critical msg "Free memory exhausted; current free memory is $_snmp_oid_val bytes; forcing failover"
action 2.0 force-switchover
Embedded Event Manager (EEM) v1.0
• Event Manager applets group together events and an action or list of actions
• Actions are executed in alphabetical order when the event occurs
• This example sends a syslog message to indicate free memory is less than 4 MB, then forces a graceful failover to a redundant CPU
• This proactive failover may prevent reduced performance and a crash
Example: Force a Graceful Failover
event manager applet getIP
event tag restart syslog pattern "LINEPROTO-5-UPDOWN:.*FastEthernet0
.*state to up"
event tag periodic timer watchdog time 86400
trigger
correlate event restart or event periodic
action 1.0 cli command "show int Fa0 | inc Internet address is"
action 2.0 mail to [email protected] from [email protected] server
smtp.cisco.com subject "IP address info" body "IP address is:
$_cli_result"
Embedded Event Manager (EEM) 2.4Example: Multiple Events
The applet will trigger upon seeing either a LINEPROTO-5-UPDOWN syslog message indicating FastEthernet0 has come up, or when the daily watchdog timer pops
The IP address of interface FastEthernet0 will be obtained, then emailed to the interested party
event manager applet route-watch
event routing network 10.1.1.0/24 type add protocol ospf
action 001 cli command "enable"
action 002 set done 0
action 003 while $done eq 0
action 004 wait 5
action 005 cli command "ping ip 10.1.1.1"
action 006 regexp "!!!!!" "$_cli_result"
action 007 if $_regexp_result eq 1
action 008 cli command "config t"
action 009 cli command "int Tunnel0"
action 010 cli command "shut"
action 011 cli command "end"
action 012 set done 1
action 013 end
action 014 end
Embedded Event Manager (EEM) 3.0Example: Routing Changes
The applet will trigger when the route 10.1.1.0/24 is learned via OSPF
The applet will try and ping host 10.1.1.1, and when it is successful, it will take down the backup tunnel interface
This applet uses the new EEM 3.0 programmatic applet syntax
event manager applet dump-active-procs
event none
action 001 cli command "enable"
action 002 cli command "show proc cpu sort | exc 0.00"
action 003 file open fd $_none_arg1 w
action 004 file puts fd nonewline $_cli_result
action 005 file close fd
Embedded Event Manager (EEM) 4.0Example: “Multi-pipe” Support
Router#event manager run dump-active-procs flash:active_procs.txt
Router#more flash:active_procs.txt
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
56 231145 38724013 5 0.63% 0.35% 0.29% 0 Ethernet Msec Ti
6 116311 64000 1817 0.31% 0.11% 0.03% 0 Check heaps
3 341 249 1369 0.15% 0.09% 0.09% 0 Exec
The applet will grab all processes that do not have a 0.00% CPU utilization
Next, the applet opens the filename specified in the first argument to the policy
Finally, all of the output from the CLI command is printed to the file
Embedded Event Manager (EEM)
• Available in EEM 2.0 and later
• EEM policies are written in Tcl version 8.3.4
• Policies can do everything that applets can do, and more!
• Cisco provides built-in Tcl namespaces and libraries to facilitate in creating EEM policies
Tcl Policies
::cisco::eem::event_register_syslog pattern ".*UPDOWN.*Serial0/0.* changed state to down"
# We don't require any global variables to be set.
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
array set arr_einfo [event_reqinfo]
if { $_cerrno != 0 } {
set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" \
$_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]
error $result
}
global slg_msg
set slg_msg $arr_einfo(msg)
set newmsg [format "Primary uplink has gone down: %s" $slg_msg]
action_syslog priority emerg msg $newmsg
if { $_cerrno != 0 } {
set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" \
$_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]
error $result
}
Embedded Event Manager (EEM)Sample Tcl User Policy: Syslog Policy
Register a Syslog
Event to Watch Our
Primary Uplink
Get Event-Specific
Information
Send Our High
Priority Syslog
Message
1. Router#mkdir disk0:/policies
1. Router#copy tftp://172.18.123.33/syslog_policy.tcl
disk0:/policies/syslog_policy.tcl
1. Router#config t
1. Router(config)#event manager directory user policy
disk0:/policies
1. Router(config)#event manager policy
syslog_policy.tcl type user
Embedded Event Manager (EEM)Enabling Tcl Policies
Remove this line to
prevent user-defined
EEM Tcl policies from
running
Converting Applets To Tcl
http://www.marcuscom.com/convert_applet/
Embedded Event Manager Built-In
• New to EEM 2.4, the available event detector variables and syntax (both Tcl and applet) are available within Cisco IOS
• show event manager detector DETECTOR detailed
Event Detector Documentation
Router#show event manager detector track detailed
No. Name Version Node Type
1 track 01.00 node0/0 RP
Tcl Configuration Syntax:
::cisco::eem::event_register_track
[tag <tag-val>]
<track-number> [state {up | down | any}]
[queue_priority {normal | low | high | last}]
[maxrun <sec.msec>] [nice {0 | 1}]
Tcl event_reqinfo Array Names:
event_id
event_type
event_type_string
event_pub_time
event_pub_sec
event_pub_msec
event_severity
number
state
Embedded Event Manager (EEM)
• Use the show event manager policy available system command to get a list of available System Policies for a given IOS release
• System Policies live under tmpsys:/lib/tcl/eem_scripts and can be viewed with the more command
Cisco Built-In Policies
Embedded Event Manager (EEM)
• Cisco scripts run in unrestricted Tcl mode
• User scripts run in safe-Tcl mode
• Allows Cisco to disable/customize specific Tcl commands
• Provides restrictions to ensure system integrity
• Built-in throttle that periodically suspends execution
• User scripting disabled by disallowing command:
• event manager directory user …
• All config commands are privileged global config mode
• To control the user that runs an EEM policy, use:
• event manager session cli username <username>
• Username sent to TACACS+ for command authorization
• This can be bypassed on a per-policy basis as of EEM 3.1
Security
Embedded Event Manager (EEM)Version Comparison
EEM Version 2.1 2.1.5 2.2/2.3 2.4 3.0 3.1 3.2 4.0
Cisco IOS Version Introduced
12.3(14)T1,
12.2(28)SBC,
12.2(18)SXF5,
12.2(33)SRA
12.2(18)SXF4
(IOS with
Modularity)
12.4(2)T,
12.2(33)SRB1
12.4(20)T,
12.2(40)SE,
12.2(40)SG
12.4(22)T
12.2(50)SY15.0(1)M
12.2(52)SE
15.1(3)T15.2(2)T
Syslog, SNMP EDs X X X X X X X X
Syslog, SNMP Actions X X X X X X X X
Watchdog, Counter, Interface Counter, Timer,
Application-Specific EDsX X X X X X X X
Counter Modification,
System Info, Email ActionsX X X X X X X X
OIR, CLI EDs X X X X X X X X
User and System Tcl Policies X X X X X X X X
GOLD, System Manager, WDSysMon EDs X X X X X X X
Resource, RF, EOT EDs X X X X X X
Multiple Event Support, SNMP Proxy, XML RPC EDs X X X X X
Programmatic Applets, NetFlow,
IP SLAs, Routing EDsX X X X
SNMP GET/SET Interception, AAA Bypass, Tcl CLI
EnhancementsX X X
MAC Notification ED, Neighbor Discovery ED X X
File support for applets, enhanced CLI variables,
resource controlX
For YourReference
EEM On Other PlatformsPlatform EEM Support
IOS-XR Platforms Support for EEM Tcl. Same Tcl syntax as IOS with a subset of the event
detectors. Full sync is planned for XR 5.3.
NX-OS Platforms Support for distinct EEM applet syntax only. More event detectors
planned for NX-OS 7.x.
ASA Limited EEM applet support introduced in 9.2. Only action is to run CLI
commands.
For YourReference
Embedded Event Manager (EEM)
• Embedded Event Manager overview:• http://tools.cisco.com/squish/e8837
• Writing EEM policies using the CLI (applets):• http://tools.cisco.com/squish/fDCdd
• Writing EEM policies using Tcl:• http://tools.cisco.com/squish/9fc09
References
For YourReference
Embedded Event Manager (EEM)
• How to send customizable traps using EEM 3.0• https://supportforums.cisco.com/docs/DOC-11745
• How to run an EEM policy whenever a device boots• https://supportforums.cisco.com/docs/DOC-12612
• Embedded Event Manager 2.4 enhancements• http://tools.cisco.com/squish/1d5F4
• Support for writing EEM policies available via the Cisco Support Community Network Management Forum• https://supportforums.cisco.com/community/netpro/network-infrastructure/network-
management
References (Cont.)
For YourReference
• “Living” document at
https://supportforums.cis
co.com/document/48891/
cisco-eem-best-practices
• Contains helpful tips and
tricks to get the most out
of EEM
• Great supplement to the
Cisco.com docs
EEM Best Practices Doc
Cisco Beyond Has a New Home
Discussion forums
Ask questions, get answers
Video tutorials
Script repositoryOver 130+ open source scripts,
learn by example
http://www.cisco.com/go/ciscobeyond
Embedded Syslog Manager (ESM)
Embedded Syslog Manager (ESM)Automation Uses
Embedded Syslog
Manager (ESM)
User Experience
Monitoring & Trouble-shooting
Auditing &
Security
Embedded Syslog Manager (ESM)Overview
Syslog ServerConsole TTYBuffer
ESM
Modules
Available from: Cisco IOS 12.3(2)T, 12.2(25)S
Post-process syslog messages with selected ESM filters (proactive rules-based analysis)
User definable scripting (Tcl)
New message queue in parallel with classic syslog
Available in images with Tcl 8.3.4
Embedded Syslog Manager (ESM)Configuration
Router(config)#logging filter <URL> [position] [args args]
Router(config)#logging buffered filtered
Router(config)#logging host 10.10.10.10 filtered [stream_id]
Router(config)#logging filter disk0:/drop.tcl args LINK 5
Where:– <URL> is a Cisco IOS path to an ESM filter Tcl script
– [position] is an optional order number (if multiple filters are defined)
– [args] are optional command line arguments to pass to the filter script
Specify which logging destinations should be filtered– stream_id can be set in the filter script to route certain events to certain destinations
Embedded Syslog Manager (ESM)Example: Selective Filtering – 1/2
Configuration Fetch
Cisco Info Center
Cisco Prime Infrastructure
Router Sends SYS-*-5-CONFIG_IMessage
Certain syslog messages may be interesting to some syslog receivers but not others
Filtering should happen as close to the device as possible to reduce load on the network and on the syslog receivers
Description: – Allow all syslog messages to go to a
central event correlation system– Only send events about
configuration changes to the config archive server
Router(config)#logging filter disk0:/config_chg.tcl
Router(config)#logging host ipv6 fd04:853d:25c3:d24e::39 filtered
Router(config)#logging host 172.18.123.81
Embedded Syslog Manager (ESM) Example: Selective Filtering – 2/2
Filtered config
archive server
destination
Unfiltered event
correlation server
destination# Embedded Syslog Manager, Only send CONFIG and CONFIG_I syslog messages
#
# Namespace: global
if {[string compare -nocase "CONFIG_I" $::mnemonic] == 0 ||
[string compare -nocase "CONFIG" $::mnemonic] == 0} {
return $::orig_msg
}
return ""Only config change
messages are sent
on using this filter
Embedded Syslog Manager (ESM)
• Message routing: categorize messages using criteria other than facility or severity
• Example: send all spanning tree messages to a separate syslog server
• SMTP-based email alerts: capability for notifications using TCP to external servers, such as TCP-based syslog collectors or Simple Mail Transfer Protocol (SMTP) servers
• Example: configuration changes sent to administrators via an email message
• Your example… the possibilities are endless!
Other Examples
Embedded Syslog Manager (ESM)
• ESM filters cannot be applied to SNMP history logs (i.e., filters will not be applied to messages logged from logging history or snmp-server enable traps syslog)
• Filtered destinations no longer receive buginf messages (e.g., debugging output)
• All filters must be written in Tcl
Caveats
Embedded Syslog Manager (ESM)
• Embedded Syslog Manager Guide:• http://tools.cisco.com/squish/32395
For YourReference
Embedded Packet Capture (EPC)
Embedded Packet Capture (EPC) Automation UsesAutomation Uses
Embedded Packet Capture (EPC)
Monitoring & Trouble-shooting
Auditing & Security
PerformanceAnalysis
Embedded Packet Capture (EPC)
• Capture packets flowing from, to, or through a given device
• Captures can be filtered using ACLs
• Captured packets can be exported for analysis in sniffer programs such as Wireshark
• CEF and process switched flows are supported
• IPv4 and IPv6 are supported
Overview
Available from: Cisco IOS 12.4(20)T and 12.2(33)SRE (7200 only)
Source: http://tools.cisco.com/squish/64E2C
Embedded Packet Capture (EPC)Configuration – 1/3
• Define a Capture Point
Router#monitor capture point ip cef cappnt GigabitEthernet0/0 both
Switching Path
(Either cef or
process-switched)
Capture Point
Name
Interface on Which
to Capture (or All)
Traffic Flow
Direction (In, Out,
or Both)
cef cappnt GigabitEthernet0/0 both
Protocol (Either ip
for IPv4 or ipv6 for
IPv6)
ip
Embedded Packet Capture (EPC)
• Define a Capture Buffer
Configuration – 2/3
Router#monitor capture buffer capbuf size 512 max-size 1518 circular
Capture Buffer
Name
Router#monitor capture buffer capbuf limit duration 600
Maximum In-
Memory Size in
Kilobytes (KB)
Maximum Packet
Slice Size
Buffer Type (linear
Locks When Full,
circular Wraps)
Optionally limit the packets captured
By time
By number of packets captured
Drop every Nth packet
Limit packet rate
capbuf 512 1518 circular
Embedded Packet Capture (EPC)
• Optionally define an access-list for filtering (e.g. capture WWW traffic only)
• Configure the ACL on the buffer
• Associate the capture buffer to the capture point
Configuration – 3/3
Router(config)#access-list 101 permit tcp any any eq 80
Router(config)#access-list 101 permit tcp any eq 80 any
Router#monitor capture buffer capbuf filter access-list 101
Router#monitor capture point associate cappnt capbuf
Embedded Packet Capture (EPC)
• Start the capture
• If the buffer is linear, the capture will run until the buffer is full or until the limiting criterion is met
• The capture can also be manually stopped
Using EPC – 1/4
Router#monitor capture point start cappnt
Router#monitor capture point stop cappnt
Embedded Packet Capture (EPC)
• The contents of the buffer can be viewed on the device
• If the buffer is linear, the capture will run until the buffer is full or until the limiting criterion is met
• The capture can also be manually stopped
• Or the buffer can be exported to a network server (or local file) in PCAP format for more detailed analysis
Using EPC – 2/4
Router#show monitor capture buffer capbuf dump
12:55:47.942 EDT Apr 2 2010 : IPv4 CEF Turbo : Gi0/0 None
6A89A4F0: 00101433 D4000017 085A1B16 08004500 ...3T....Z....E.
6A89A500: 002851A4 40003F06 05800E20 64210E20 .(Q$@.?.... d!.
6A89A510: 644BDE23 00171ED3 5BAAF4EC 4C215010 dK^#...S[*tlL!P.
6A89A520: FFFF3162 00000000 00000000 00 ..1b.........
Router#monitor buffer export capbuf tftp://172.18.123.33/http.pcap
Embedded Packet Capture (EPC)
• …Or decode the buffer headers on the device itself using EEM
• Download the “Decode EPC Headers” policy from Cisco Beyond at http://tools.cisco.com/squish/Affd
Using EPC – 3/4
Router#show monitor capture buffer capbuf decode
01:27:54.285 EDT Oct 11 2010 : IPv6 CEF : Fa0/0 None
IPv6:
Dest MAC : 00:10:14:33:D4:00 Src MAC : 00:17:08:5A:1B:16
Dest IP : 2003:a00::2 Src IP : 2003:a00::1
01:27:54.285 EDT Oct 11 2010 : IPv6 CEF : Fa0/0 None
IPv6:
Dest MAC : 00:10:14:33:D4:00 Src MAC : 00:17:08:5A:1B:16
Dest IP : 2003:a00::2 Src IP : 2003:a00::1
Argument
Inserted by EEM
Embedded Packet Capture (EPC)Using EPC – 4/4
Embedded Packet Capture (EPC)
• Make sure there is enough free memory to hold the maximum configured capture buffer size
• In 12.4T, capture buffers could only be exported to network servers
• Local export was made available in 15.0
• Jumbo frame support (packets over 1024 bytes) was added in 15.0
• Access-list filtering does not match on packets generated by the device itself
• MPLS frames are not currently captured
• Multicast frames are only captured on ingress
Caveats
Embedded Packet Capture (EPC)
• Cisco Support Communities tech tip on using EPC
• https://supportforums.cisco.com/docs/DOC-5799
• A similar feature exists on the 6500 and 7600 called “Mini Protocol Analyzer”
• http://tools.cisco.com/squish/4F4eD
• Cisco Support Communities article on Mini Protocol Analyzer
• https://supportforums.cisco.com/docs/DOC-5814
Additional References
For YourReference
Configuration Archive and Rollback
Configuration Archive and RollbackAutomation Uses
Configuration Archive and
Rollback
Configuration
Auditing & Security
User Experience
Configuration Archive and Rollback Overview
• Config archive provides a way of storing and managing multiple Cisco IOS configuration versions
• Config rollback provides a way of replacing the current running config with any configuration file
• Hooks exist for comparing configs, and viewing context-sensitive diffs
• Questionable configuration changes can be evaluated and automatically backed out
• Rollbacks are done efficiently and safely by only reapplying commands that have changed
Available from: Cisco IOS 12.3(7)T, 12.2(25)S
Reference: http://tools.cisco.com/squish/0F4a6
archive
path disk0:/configs
maximum 14
time-period 60
write-memory
log config
notify syslog
Router#archive config
Config Archive and RollbackSaving Configuration Files
Path to Store Archived Configs(This Can Be a Network
URL as Well)
Special Values $h and $t Will Be Replaced with the Device’s
Hostname and the CurrentTime Respectively
Maximum Number of Configs to Archive(Between 1 and 14)
Snapshot Config Every Hour(Time-Period Is in Minutes)
Log All Config Changes(Including the ExactCommand Entered)
Router#copy running-config <destination-url>
On the Fly
Archive Config When
write mem Is Executed
The Old Way
Ad-Hoc Snapshots Can Also Be Taken
Router#show archive
There are currently 2 archive configurations saved.
The next archive file will be named disk0:config-archive-3
Archive # Name
0
1 disk0:config-archive-1
2 disk0:config-archive-2 <- Most Recent
3
4
5
6
7
8
9
10
11
12
13
14
Configuration ArchiveViewing Archived Configurations
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#snmp-server community public ro
Router(config)#snmp-server community private rw
Router(config)#end
Router#config replace disk0:config-archive-1
This will apply all necessary additions and deletions
to replace the current running configuration with the
contents of the specified configuration file, which is
assumed to be a complete configuration, not a partial
configuration. Enter Y if you are sure you want to proceed. ? [no]: yes
Total number of passes: 0
Rollback Done
Configuration Replace and Rollback Configuration
Available from: Cisco IOS 12.3(7)T, 12.2(25)S
Configuration Rollback Confirmed Change
configure replace target-url [nolock] [list]
[force] [ignorecase] [revert trigger] [error]
[timer minutes]
Available from: Cisco IOS 12.4(20)T
Reference: http://tools.cisco.com/squish/00746
Add the error– Reverts to the original configuration upon error
New in 12.4(20)T, 12.2(33)SRC, 12.2(33)SB, 12.2(33)SXI
revert trigger timer = time– Reverts to the original configuration if specified time elapses
Configuration Rollback Confirmed Change
configure revert {now | timer {minutes | idle minutes}}
This Is the Only Way to Change the Time from Config Replace
If No Activity for X Minutes, Revert to the Old Config
Router# config terminal revert time 2
Rollback Confirmed Change: Backing up current running config to flash:jclarke-1
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# hostname Router1
Router1(config)#
(time passes…)
Router(config)#
Available from: Cisco IOS 12.4(24)T
Reference: http://tools.cisco.com/squish/00746
Critical config change to a remote router may result in loss of connectivity, requiring a reload …
Contextual Configuration Diffs
• View line-by-line comparison of two configuration revisions
• Compare order-sensitive data such as ACLs
• Output lists configuration lines that have been added, removed, or modifiedRouter#show archive config differences nvram:startup-config system:running-
config
Contextual Config Diffs:
+ip http server
+tacacs-server host 172.18.123.33
+tacacs-server directed-request
-no ip http server
-logging 192.168.0.254
Lines in Running-ConfigNot in Startup-Config
Lines in Startup-Config Not in Running Config
Available from: Cisco IOS 12.3(4)T, 12.2(25)S
Configuration Archive and Rollback
• Free memory must be large enough to hold the current running configuration as well as the replacement configuration
• Physical interface statements cannot be removed from a running configuration
• Certain Cisco IOS configuration commands cannot be fully removed unless the router is reloaded
• Archiving configurations via TFTP is a security risk; opt for FTP or RCP instead
Caveats
Data Collection Manager 2.0
Data Collection Manager 2.0Automation Uses
Data Collection Manager
2.0
Capacity Planning
Monitoring & Trouble-shooting
Diagnostics
Performance Analysis
Data Collection Manager 2.0• Provides a mechanism to collect numerous SNMP object values or CLI command
output at once
• Save or transfer data in bulk to prevent loss during connectivity outages
• Supports proxy collection (useful in NAT scenarios)
• No NMS required!• Data can be analyzed locally• Periodic polling is not required
• Bulk object data can be transferred in binary or ASCII format using a variety of protocols• TFTP• FTP• SCP• Flexible NetFlow
Available from: Cisco IOS 15.2(2)TFeature Guide: http://tools.cisco.com/squish/208ee
Data Collection Manager 2.0Collect Memory Data From SNMP
• Add memory pool objects to the collection list
• Specify all instances to poll, and poll every one minute
• Configure the transfer mechanism
bulkstat data my-memory-objs type snmp
object 1.3.6.1.4.1.9.9.48.1.1.1.2
object 1.3.6.1.4.1.9.9.48.1.1.1.5
object 1.3.6.1.4.1.9.9.48.1.1.1.6
bulkstat instance my-memory-objs type snmp
range start 1 end 5
bulkstat data-group my-memory-group
interval polling 1
collect type snmp data my-memory-objs instance my-memory-objs
bulkstat profile my-memory-profile
file transfer url primary flash:/bulk-memory-data/
file size 10240
interval transfer raw 60
data-group my-memory-group
enable
ciscoMemoryPoolName
ciscoMemoryPoolUsed
ciscoMemoryPoolFree
Instances 1 Through 5
Correspond to All Built-In
Memory Pools (Processor
Through Multibus)
Data Collection Manager 2.0The Results
my-memory-schema: 1303505344, .1, Processor, 49231448, 82409480
my-memory-schema: 1303505344, .2, I/O, 5470528, 7112384
my-memory-schema: 1303505404, .1, Processor, 49160928, 82480000
my-memory-schema: 1303505404, .2, I/O, 5470528, 7112384
my-memory-schema: 1303505464, .1, Processor, 49160896, 82480032
my-memory-schema: 1303505464, .2, I/O, 7112384, 5470528, I/O
my-memory-schema: 1303505524, .1, Processor, 49160848, 82480080
my-memory-schema: 1303505524, .2, I/O, 5470528, 7112384
Global: NE100, 20110422, 205303, 1997145, 2%, 2%, 2%
Schema-def GLOBAL "%s, %s, %u, %u, %u, %u, %u"
hostname date timeofday sysuptime cpu5min cpu1min cpu5sec
Schema-def my-memory-group "%u, %s, %s, %u, %u"
epochtime instanceOID 1.3.6.1.4.1.9.9.48.1.1.1.2 1.3.6.1.4.1.9.9.48.1.1.1.5
1.3.6.1.4.1.9.9.48.1.1.1.6
Schema Format (%s
Means “String” and
%u Means
“Unsigned Integer”)
Each Block of Two Pools
Is Taken One Minute
Apart
Each Row Shows Instance
Number, Pool Name, Used
Memory, and Free Memory
Data Collection Manager 2.0
• DCM as a proxy to other SNMP devices
• Polls devices using SNMP and exports using DCM supported protocols
DCM and NAT
NMS Application
Customer B
Customer A
SNMP
SNMP
DCM Export
DCM Export
Data Collection Manager 2.0
• Some objects can be added by name (e.g. ifTable objects like ifDescr, ifInOctets, etc.).
• Most objects must be added by OID
• SNMP Object Navigator provides a great way to translate MIB names to OIDs
• http://tools.cisco.com/squish/7f7ef
MIB Objects vs. Names
Data Collection Manager 2.0Collect IPSLA Data From CLI
• Add the IPSLA stats command
• Run the command every 60 seconds to collect the results
• Configure the transfer mechanism
bulkstat data my-ipsla type command
add cmd show ip sla stat 1 det
bulkstat data-group my-ipsla-group
interval polling 60
collect type command data my-ipsla
bulkstat profile my-ipsla-profile
file transfer url primary flash:/my-ipsla-data/
interval transfer raw 60
data-group my-ipsla-group
enable
Data Collection Manager 2.0The Results
GLOBAL: NE100, 20130412, 173059, 176595, 0%, 0%, 0%
my-ipsla-group: 1365802259, "show ip sla stat 1 det", 1, "
IPSLAs Latest Operation Statistics
IPSLA operation id: 1
Latest RTT: 1 milliseconds
Latest operation start time: 17:30:51 EDT Fri Apr 12 2013
Latest operation return code: OK
Over thresholds occurred: FALSE
Number of successes: 4
Number of failures: 0
Operation time to live: Forever
Operational state of entry: Active
Last time this entry was reset: Never
"
Schema-def GLOBAL "%s, %s, %u, %u, %u, %u, %u"
hostname date timeofday sysuptime cpu5min cpu1min cpu5sec
Schema-def my-ipsla-group "%u, %s, %u, %s"
epochtime Command Command-Output-Buffer-Count Command-Output-Buffer-Content
One Platform Kit (onePK)
One Platform Kit (onePK)Automation Uses
One Platform
Kit (onePK)
Provisioning
User Experience
Monitoring & Trouble-shooting
Capacity Planning
Data Customization
One Platform Kit (onePK)
• OnePK is a device-level API for Cisco’s core operating systems
• Enables one to create applications that run on or near Cisco devices
• Provides capabilities to…
• Innovate
• Extend
• Automate
• Customize
• Enhance
• Modify
• …the default behavior of Cisco devices
Overview
Hardware Silicon
IOS | IOS-XE | IOS-XR
Cisco onePK API’s
ApplicationsP
hysic
al D
evic
eOnePK Architecture
DATA PATH
POLICY
ROUTING
ELEMENT
DISCOVERY
UTILITY
DEVELOPER
Packet delivery services to application – e.g. copy, punt, inject
Filtering (NBAR), classification (class-map, policy-map),
actions (marking, policing, queuing), applying policy to interfaces
Read RIB Routes, add/remove routes, receive RIB notifications
CPU/Memory statistics, interface statistics, element and interface
events
Layer 3 topology and local service discovery
Syslog event and path tracing capability
Debug capability and CLI extension (invoke CLI from application)
OnePK Service Sets
C Java Python Rest
Eclipse IDE
NetBeans IDE
Other IDE
OnePK
Supports applications written in C, Java, Python,
or any language that supports REST.
Combine C API with SWIG (http://www.swig.org)
to build bindings in other languages.
IDE = Integrated Development
Environment
Basically what the app developer uses to
develop their programs
**
**
**
Application Development
Router/Switch
ServerService Blade
Runs locally on the device
Router/Switch
Runs on a remote serverRuns on a service blade
OnePK
APPAPP
APP OnePK OnePK
Application Deployment Models
Configuring onePK
Router#show run | section onep
onep
datapath transport gre sender-id 10 interface
GigabitEthernet0/1
transport type tls disable-remotecert-validation
history size 65535 purge old
service set vty
Data Path Service Set
Configuration
History useful for debugging
Optional Service Sets
Okay, Now What…?… Routing For Dollars
router ospf 1
redistribute application <app name> ...
The Topology-Aware Network
1. Connect to a device running the Topology-Aware Network app
2. Issue the custom, “topology send” command
3. Router sends current topology image to user
The whole process takes a few seconds!
TAN onePK app
Router#topology send [email protected]
And Add Location…
All-in-One VM Environment Virtual IOS routers
All onePK SDKs,
including docs,
tutorials, and sample
apps
Check out the onePK DevNet portal to get started
http://developer.cisco.com/web/onepk
Agenda
Introduction
Embedded Instrumentation Technologies
Real-World Examples
Key Takeaways
Diagnosing Transient Problems
• Problem: You are seeing VPN tunnel drops on your VPN head-end router at 3:00 am every day. The tunnels continue to flap until the physical interface is reset. You want to analyze the traffic on the wire at that time.
Diagnosing Transient ProblemsDoing Things the Long Way
Diagnosing Transient Problems
• Solution: Use Embedded Packet Capture together with Embedded Event Manager to start a capture session at 3:00 am. When the VPN tunnels first go down, stop the capture, and email the binary capture file as a MIME attachment for analysis at a reasonable hour.
Troubleshooting Transient Problems
• Setup EPC to use a circular buffer, and run forever
• EEM will take care of stopping the capture
Configuring EPC
Router#monitor capture point ip cef cappnt Serial2/0 both
Router#monitor capture buffer capbuf size 512 max-size 1518 circular
Router#monitor capture point associate cappnt capbuf
::cisco::eem::event_register_timer cron cron_entry "55 2 * * *"
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if { [catch {cli_open} result] } {
error "Failed to open CLI session: '$result'" $errorInfo
}
array set cliarr $result
if { [catch {cli_exec $cliarr(fd) "enable"} result] } {
error "Failed to enable CLI session: '$result'" $errorInfo
}
if { [catch {cli_exec $cliarr(fd) "monitor capture point start cappnt"} result] } {
error "Failed to start packet capture: '$result'" $errorInfo
}
catch {cli_close $cliarr(fd) $cliarr(tty_id)} result
Troubleshooting Transient ProblemsStarting the Capture With EEM
Initiate the Packet
Capture
Start the Capture Five
Minutes Before the
Event
::cisco::eem::event_register_syslog pattern "%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac
verify failed"
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if { [catch {cli_open} result] } {
error "Failed to open CLI session: '$result'" $errorInfo
}
array set cliarr $result
if { [catch {cli_exec $cliarr(fd) "enable"} result] } {
error "Failed to enable CLI session: '$result'" $errorInfo
}
if { [catch {cli_exec $cliarr(fd) "monitor capture point stop cappnt"} result] } {
error "Failed to start packet capture: '$result'" $errorInfo
}
Troubleshooting Transient ProblemsStopping the Capture With EEM
Stop the Capture
React to a Syslog
Indicating that the
Tunnels Have Detected
a Problem
if { [catch {cli_exec $cliarr(fd) "monitor capture buffer capbuf export flash:vpn.pcap"} result] } {
error "Failed to export capture buffer: '$result'" $errorInfo
}
set email_body_pre "Mailservername: $_email_server
From: $_email_from
To: $_email_to
Cc:
Subject: Email from Router $_router_name
MIME-Version: 1.0
Content-type: multipart/mixed; boundary=\"EEM_email_boundary\"
\n--EEM_email_boundary\n
\n--EEM_email_boundary
Content-Type: application/octet-stream
Content-Transfer-Encoding: Base64
Content-Disposition: attachment; filename=\"vpn.pcap\"\n\n"
if [catch {open "flash:vpn.pcap"} result] {
error "Failed to open flash:vpn.pcap: '$result'" $errorInfo
}
set fd $result
fconfigure $fd –translation binary
set email_b64 [::base64::encode [read $fd]]
close $fd
set email_body_mime "\n--EEM_email_boundary--"
set email_body [format "%s%s%s" $email_body_pre $email_b64 $email_body_mime]
if [catch {smtp_send_email $email_body} result] {
error "Failed to send email: '$result'" $errorInfo
}
Troubleshooting Transient ProblemsSend the Capture File As an Email
Export the Capture
to a File on Flash
Create an Email with
a MIME Header
Send the Email
Diagnosing Transient Problems
Adding New SNMP MIB Support
• Problem: We want to be able to monitor and graph information about the number of DHCP leases our IOS-based DHCP server has handed out. However, there is no SNMP object that will give us this count.
http://tools.cisco.com/squish/546e0
Adding New SNMP MIB Support
• Solution: The EXPRESSION-MIB will give the capability to allow inserting custom data into the value of an SNMP MIB object
– EXPRESSION-MIB can be configured using SNMP directly since 12.0(5)T.
– Initially Cisco Implementation was based on OID 1.3.6.1.4.1.9.10.22 but current Cisco implementation is based on RFC2982-MIB, OID 1.3.6.1.2.1.90.
– In 12.4(20)T EXPRESSION-MIB feature is enhanced to add CLIs to configure expressions.
• EXPRESSION-MIB plus the Embedded Event Manager provide a way to gather data only available via Command Line Interface (CLI), even if there is no MIB support currently available
Grab the output of the show command(s) and store them in the EXPRESSION-MIB
1
Adding New SNMP MIB SupportBackground
SNMP
ManagerSNMP
Agent
2EXPRESSION-
MIB/RFC2982 support
CustomMIB EEM
policy
3
Polling request on our
“Custom-MIB” [MIB Value -
expExpression]
4
5
Adding New SNMP MIB SupportInstalling the EASy Package
Router#easy_installer flash:/easy/custom_mib.tar flash:/easy/custom-mib
The EASy PREFIX is already set to flash:/easy.
Do you want to use flash:/easy/custom-mib as the new EASy package PREFIX? (y/n) [n]
----------------------------------------------------------------
Configure and Install EASy Package 'custom-mib-1.1'
----------------------------------------------------------------
1. Display Package Description
2. Configure Package Parameters
3. Deploy Package Policies
4. Verify Installed Package
5. Exit
Enter option:
Router#sh run | inc easy
alias exec easy_installer tclsh flash:/easy/easy_installer.tcl
Adding New SNMP MIB SupportInstalling the EASY Package
The package is able to extract a value from a show command using a configured regular expression,
and make that value accessible via SNMP using the EXPRESSION-MIB or RFC 2982 MIB depending
on the IOS running.
Hit enter to continue...
Configure EEM Environment Variables for 'custom-mib-1.1'
Enter the frequency with which to run the show command [60]:
Enter the show command to execute [show ip dhcp pool CORP | inc Leased]:
Enter the regular expression to extract the custom value [Leased addresses\s+:\s+(\d+)]:
Enter message to send via syslog if the expression is found [Expression found]:
Enter a local IP address to poll with SNMP [10.48.71.24]:
Enter a read-write SNMP community for this device [private]:
...
…
INFO: Package custom-mib-1.1 successfully installed.
Enter option: 1 [Display Package Description]
Enter option: 2 [Configure Package Parameters]
Enter option: 3 [Deploy Package Policies]
!! if you want to change any parameter, you might
need to reinstall the package or manually modify
the environment variable and run “event manager
update user policy name POLICY_NAME”
Adding New SNMP MIB Support
Verifying the Installation
Router#easy_installer --list
EASy packages installed:
custom-mib-1.1 Make a custom value accessible via SNMP
Hit enter to continue...
Router#easy_installer --uninstall --prefix flash:/easy/custom-mib
--pkgname custom-mib
Uninstalling custom-mib...DONE!
INFO: Uninstall of custom-mib completed successfully.
Listing the installed packages
Uninstalling the package
Adding New SNMP MIB Support
Verifying the Installation
Router#sh run | inc envir
event manager environment __easy_PREFIX flash:/easy/custom-mib1
event manager environment countdown_entry 60
event manager environment match_cmd show ip dhcp pool CORP | inc Leased
event manager environment match_pattern Leased addresses\s+:\s+(\d+)
event manager environment nok_msg Expression found
event manager environment ip_address 10.48.71.24
event manager environment rw_community private
event manager environment custom-mib_mode SNMP_EXPRESSION
Router# show event manager policy registered
No. Class Type Event Type Trap TimeRegistered Name
1 script user timer watchdog Off Tue Apr 16 .. tm_customMIB_SNMP_ExpressionMIB.tcl
name {watchdog} time 60.000
nice 0 queue-priority normal maxrun 240.000 scheduler rp_primary
Verifying the variables
Verifying registered scripts
via CLI - show management expression
via SNMP - Custom-MIB OID is customized, indexed by the owner and Expression name
NMS% snmpwalk -c public -v 2c Router 1.3.6.1.2.1.90
SNMPv2-SMI::mib-2.90.1.2.1.1.3.5.99.105.115.99.111.7.99.117.115.116.111.109.49 = STRING: "50"
SNMPv2-SMI::mib-2.90.1.2.1.1.4.5.99.105.115.99.111.7.99.117.115.116.111.109.49 = INTEGER: 1
SNMPv2-SMI::mib-2.90.1.2.1.1.5.5.99.105.115.99.111.7.99.117.115.116.111.109.49 = ""
SNMPv2-SMI::mib-2.90.1.2.1.1.6.5.99.105.115.99.111.7.99.117.115.116.111.109.49 = INTEGER: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.7.5.99.105.115.99.111.7.99.117.115.116.111.109.49 = OID: SNMPv2-SMI::zeroDotZero
SNMPv2-SMI::mib-2.90.1.2.1.1.8.5.99.105.115.99.111.7.99.117.115.116.111.109.49 = Counter32: 0
SNMPv2-SMI::mib-2.90.1.2.1.1.9.5.99.105.115.99.111.7.99.117.115.116.111.109.49 = INTEGER: 1
SNMPv2-SMI::mib-2.90.1.3.1.1.2.5.99.105.115.99.111.7.99.117.115.116.111.109.49.0.0.0 = Counter32: 50
Router#sh ip dhcp pool CORP | inc Leased
Leased addresses : 50
Current index IP address range
Leased addresses
Router#
Adding New MIB Objects to IOSPolling the New Object
1.3.6.1.2.1.90.1.2.1.1.3.5.99.105.115.99.111.7.99.117.115.116.111.109.49$exp_owner=cisco(5) $exp_name=custom1(7)
length($exp_name)length($exp_owner)
Read-Only community string Hostname or IP address of our
device
expExpression
1.3.6.1.2.1.90.1.2.1.1.3
expValueCounter32Val
1.3.6.1.2.1.90.1.3.1.1.2
Customizing Syslog Messages
• Problem: A service provider has a customer that would like to be notified when the URL filtering policies configured on their leased equipment block a specific site. Only this customer is in Argentina, and they would like to see the syslog and email notifications in Spanish.
Customizing Syslog Messages
1. Match the specific message type to be translated and extract the variable parameters
2. Insert the parameters into the new message and send it to the customer’s syslog destination
3. Format the syslog output into an email message and send that to the customer’s Network Operations Team
4. Pass the untranslated message to the SP’s syslog destination
Translating Text and Enhancing Delivery
Managing Syslog Events
• Solution: Use Embedded Syslog Manager to intercept the outgoing syslog messages and modify the message as it goes to the customer’s syslog server. The modified message will be translated into Spanish. Additionally, ESM will send a summary email in Spanish based on the original syslog.
Customizing Syslog Messages
Customer’s NOC
SP’s NOC
Router Sends URLF-4-SITE_BLOCKEDMessage
Spanish version
Customizing Syslog Messages
• Extract parameters from the URLF-4-SITE_BLOCKED message and insert them into the translated message
Translating Syslogs – The Code
set msg_args [split $::msg_args]
set fw_policy [lindex $msg_args 0]
set url [lindex $msg_args 1]
set source_ip [lindex $msg_args 2]
set source_port [lindex $msg_args 3]
set dest_ip [lindex $msg_args 4]
set dest_port [lindex $msg_args 5]
if { [regexp {Tracing the route to ([A-Za-z._-]+)} [exec traceroute ip $source_ip timeout 1
probe 1 ttl 1 1] match regex_result] } {
set hostinfo $regex_result
} else {
set hostinfo "\[No disponible]"
}
set ::orig_msg [format "\n%s: Se ha denegado el acceso http al sitio '%s' (IP %s) al
usuario '%s' (IP %s)" $::timestamp $url $dest_ip $hostinfo $source_ip]
Customizing Syslog Messages
• Send a localized email summary of the syslog event to the customer’s NOC
Translating Syslogs – The Code (cont.)
set custom_msg [format "\n%s: Se ha denegado el acceso http al sitio '%s' (IP %s) al
usuario '%s' (IP %s)" $::timestamp $url $dest_ip $hostinfo $source_ip]
# Mail Form (Subject and Body)
set email_subject "Politica de Filtrado URL: Router $::hostname ha detectado una violacion
en las Politicas de Seguridad Corporativas”
set email_body [format "%s" "Reporte :”]
set email_body [format "%s\n\n%s" "$email_body"
"********************************************************************************"]
set email_body [format "%s\n\n%s" "$email_body" "Detalle de Evento"]
set email_body [format "%s\n\n%s" "$email_body"
"********************************************************************************"]
set email_body [format "%s\n%s" "$email_body" "$custom_msg”]
email::sendmessage $::cli_args $email_subject $email_body
Customizing Syslog Messages
• Define the ESM filter• logging filter flash:/customer_trans_es.tcl args
• Add the customer’s syslog server as a logging host, and pass all messages through the translation filter• logging host 172.18.123.33 filtered
• Add the SP’s syslog server as an unfiltered destination• logging 192.168.131.3
Translating Syslogs – Configuring the Router
Router#show logging
…
Filter modules:
flash:/customer_trans_es.tcl args [email protected]
Trap logging: level debugging, 103 message lines logged
Logging to 192.168.131.3 (udp port 514, audit disabled), 24 message
lines logged, xml disabled,
filtering disabled
Logging to 172.18.123.33 (udp port 514, audit disabled), 24 message
lines logged, xml disabled,
filtering enabled
Customizing Syslog Messages
Verifying the Router Configuration
Translating Syslogs
Applying Configuration Changes
• Problem: Applying configuration changes to remote routers can cause lockouts; when console access is not available, someone needs to reload these devices
Applying Configuration Changes
• Applying a configuration change such as an access-list could result in being locked out of the router
• If console access is available, configuration changes can be deployed using the console to avoid network problems
• If no out-of-band access is available, then a reload* is necessary to undo the problematic config change
Applying a Change To a Remote Router
* Or reload {at|in}
Applying Configuration Changes
Doing Things the Hard Way
Now the Router Must Be Reloaded
Access-List Change
Applying Configuration Changes
• Solution: Use config rollback to automatically back out the config change after a certain amount of time
Using Config Rollback
• Replace the running configuration with the latest good archive after two minutes unless the change being made is confirmed
Router#show archive
There are currently 3 archive configurations saved.
The next archive file will be named disk0:/config-archive-4
Archive # Name
0
1 disk0:/config-archive-1
2 disk0:/config-archive-2
3 disk0:/config-archive-3 <- Most Recent
Router#config replace disk0:/config-archive-3 time 2
Using Config Rollback
• Apply the potentially problematic configuration change
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int pos4/0
Router(config-if)#ip access-group 113 in
Using Config Rollback
• If the configuration was successful, apply the changes• Router#config confirm
• If the config changes caused the user to be locked out, the router will automatically revert to the last saved archive configuration after two minutes, and connectivity will be restored
Agenda
Introduction
Embedded Instrumentation Technologies
Real-World Examples
Key Takeaways
Key Takeaways
• The Tcl 8.3.4 interpreter embedded into Cisco IOS can be used for many purposes- Custom command creation
- Automated device configuration- Building other embedded tools
• Embedded Event Manager provides a way for the router to monitor itself for potential problems, and act accordingly
• Use the Embedded Syslog Manager to filter and prioritize critical log messages
• The Embedded Packet Capture tool enables one to capture data that passes though, comes from, or comes to a device
Key Takeaways
• Config archive and rollback provides configuration change history as well as the ability to back out problem configuration changes
• Data Collection Manager 2.0 streamlines bulk SNMP and CLI data retrieval and export
• OnePK provides a consistent API across multiple operating systems for building custom features and robust access to network subsystems
• Use the scripts, features and examples to build operations and tools that work for you
• All scripts from this session are available online at http://www.marcuscom.com/BRKNMS-3021.zip
Join Cisco Support Communities!
• Free for anyone with Cisco.com registration
• Get timely answers to your technical questions
• Find relevant technical documentation
• Engage with over 200,000 top technical experts
• Seamless transition from discussion to TAC Service Request (Cisco customers and partners only)
supportforums.cisco.com
supportforums.cisco.mobi
The Cisco Support Community is your one-stop
community destination from Cisco for sharing
current, real-world technical support knowledge
with peers and experts.
Documents
Discussions
Blogs
VideoAsk the Expert
Mobile
Recommended ReadingBRKNMS-3021
# ISBN-13: 978-0130385604
# ISBN-13: 978-0596528126
# ISBN-13: 978-0596007645
# ISBN-13: 978-1587059452
# ISBN-13: 978-1-4419-6769-5
And Remember…
Cisco IOS Can Be the Best Tool in Your Network
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle (@ChrisKodadek)
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could Be a Winner
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you