Advanced Cisco IOS Device Instrumentation · Advanced Cisco IOS Device Instrumentation ... •...

Advanced Cisco IOS Device Instrumentation

Chris Kodadek, Solution Architect

BRKNMS-3021

Session Abstract

• This advanced session covers some of the embedded management technologies in recent versions of Cisco IOS Software. Attendees are shown how the Embedded Event Manager combined with Tcl scripts can automate the ability of Cisco devices to respond to events detected on the device. The session demonstrates ways to suppress excess log messages and use alternate forms of message delivery using the Embedded Syslog Manager with Tcl. Attendees learn analysis of network traffic using the Embedded Packet Capture feature, the use of Configuration Locking and Rollback for safe recovery from errors or misconfigurations, performing bulk management, and exploring network programmability with onePK. Examples are shown for each technology, as well as ways to combine multiple automation solutions to reduce OPEX and extend the capabilities of IOS.

• This advanced course is for network engineers who are comfortable with Cisco IOS and have some understanding of Tcl programming. Experience with other network management functions such as SNMP and Syslog is also recommended.

Headquarters

Mobile Users

Remote Sites

Mobile Users

Telecommuters

Branch Sites

Partners/Customers

Internet

Extranet

IPSec

Tunnels

Metro

Ethernet

Broadband /

VPN

MPLS

Internet

Home Office

Got Tools?

Cisco IOS Automation Uses

User Experience

Configuration / Provisioning

Performance Analysis

Monitoring & Troubleshoo

tingDiagnostics

Auditing & Security

Capacity Planning

Agenda

Introduction

Embedded Instrumentation Technologies

Real-World Examples

Key Takeaways

What is Instrumentation?

• Provides us (operators, administrators) and applications with a view into what the device is doing and how it is behaving

• Gives us an ability to touch the device

• Our ability to understand how the device is behaving is only as good as the underlying instrumentation

• Instrumentation provides us with the intelligence to respond to conditions on the device and take corrective action, if necessary

• It may even allow us to automate the response

Embedded Instrumentation Model vs. External View• Connectivity to external systems may

not always be available or reliable

• Internal scripts are distributed and localized:• Each router or switch in the network has its own

set of policies

• Information can be distilled and forwarded to external monitoring systems

• Problems can be handled locally

• Polling vs. event notification

• Policies are triggered without having to constantly poll

• No need to listen and filter error messages

• Instant reaction when a condition is detected

• No need to relay the information outside the system and wait for response

• Combining embedded instrumentation with external management tools createa powerful NMS solution!

SiSi SiSi

SiSiSiSiSiSi SiSiSiSiSiSi SiSiSiSiSiSi

EEM

Interpret from

Outside

vs.

See from

Within

Agenda

Introduction


Real-World Examples

Key Takeaways

Tool Command Language (Tcl)

Tool Command Language (Tcl)Automation Uses

Tool Command Language

(Tcl)

Configuration

User ExperienceMonitoring &

Troubleshooting


• Tcl is a multithreaded interpreted scripting language

• Language resources found at:

• http://www.tcl.tk/

• Tcl 7.x has been in Cisco IOS since 1994

• Tcl 8.3.4 first released in Cisco IOS in 12.3(2)T and merged into 12.2(25)S

Overview

http://www.tcl.tk/


• Support for scripts compiled with the TclPro byte code

• Support for Tcl namespaces

• Allows execution of exec commands and Cisco IOS configuration

• Support for cryptographic signing of scripts

Features


• Build custom show commands

• Access SNMP objects

• Open TCP and UDP sockets

• Integrate with the Embedded Syslog Manager, Embedded Event Manager, and the Embedded Menu Manager

• Build Interactive Voice Response (IVR) scripts

• Consolidate complex configuration commands

• Auto-configuration

Uses Within Cisco IOS

Tool Command Language (Tcl)Simplifying Tasks

Router#more flash:/ping_check.tcl

foreach host [list "172.18.123.33" "172.18.80.126"

"172.18.181.139"] {

set output [exec "ping $host repeat 1"]

if { ! [regexp {!} $output] } {

puts "Host $host is not reachable"

}

}

Router#tclsh flash:/ping_check.tcl

Host 172.18.80.126 is not reachable

Tcl Cisco IOSExtended Commands

Tcl Built-In Command

Cisco IOS Command


• You can execute tclsh scripts at boot time

• Add a “do” command directly into the startup configuration

NOTE: The tclsh script must NOT be interactive. It must run to completion without user input.

Auto-Configuration

Router#show start

. . .

!

do tclsh flash:/autoconfig.tcl

end


• Tcl scripts can open client and server TCP socketsBetter to leave server sockets for EEM where the script can detach from the VTY

• UDP socket support was added in 15.1(1)T

• Full example of a DNS client for IOS available at http://tools.cisco.com/squish/88203

Using Network Sockets

proc connect { server proto } {

if { $proto == "tcp" } {

if { [catch {set fd [socket $server 53]} result] } {

return -code error $result

}

fconfigure $fd -translation binary

} else {

if { [catch {set fd [udp_open]} result] } {

return -code error $result

}

fconfigure $fd -remote [list $server 53] -translation binary -buffering none

}

. . .

}

http://tools.cisco.com/squish/88203


• Requires an SNMP community to be configured on the router

• Provides easy access to SNMP objects and commands

• snmp_getbulk—retrieves a large section of the MIB tree

• snmp_getid—retrieves the system table

• snmp_getnext—retrieves the next object in the MIB tree

• snmp_getone—retrieves one object in the MIB tree

• snmp_setany—sets an object in the MIB tree

• Data is returned in an XML format

• First introduced in 12.3(7)T

SNMP Support – 1/2

Router(tcl)#snmp_getid public

{<obj oid='system.1.0' val='Cisco IOS Software, 7200 Software (C7200-JS-

M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2009 by Cisco Systems, Inc.

Compiled Fri 25-Mar-05 14:01 by yiyan'/>}

{<obj oid='system.2.0' val='products.108'/>}

{<obj oid='sysUpTime.0' val='71184284'/>}

{<obj oid='system.4.0' val=’NMS Ops'/>}

{<obj oid='system.5.0' val='router.rtp.cisco.com'/>}

{<obj oid='system.6.0' val='Test POD'/>}

Router(tcl)#snmp_setany private system.6.0 -d ”Cisco Live San Diego"

{<obj oid='system.6.0' val='Cisco Live San Diego'/>}

Tool Command Language (Tcl)SNMP Support Example – 2/2

Tcl Cisco IOSExtended Commands

Tcl Built-In Command

Cisco IOS Command


• Add the capability to check for a digital signature to indicate trust/origin

• Unsigned Tcl scripts can be run in a safe Tcl mode, or not run at all

• A script can run within one of two modes:• Trusted Mode

• If Tcl script contains the right signature:

• It will be authenticated and will run with trusted access to Tcl interpreter

• Untrusted Mode

• If Tcl script does not contain the right signature:

• It will run in a limited mode for untrusted scripts or not run at all

Signed Tcl Scripts

Available from: Cisco IOS 12.4(15)T

Reference: http://tools.cisco.com/squish/634E1

http://tools.cisco.com/squish/634E1


• Load scripts from network servers with care

• Tclsh scripts require privilege level 15 access

• If possible, only run signed or trusted Tcl scripts

Security Concerns


• Use low-memory to prevent malloc failures

• Tcl process runs at medium (i.e., default) priority, so be careful with loops

• Use 15.x or higher code for best security

Caveats


• General language resources:• http://www.tcl.tk

• Cisco IOS scripting with Tcl:• http://tools.cisco.com/squish/39A40

• All examples from this presentation can be downloaded from:• http://www.marcuscom.com/BRKNMS-3021.zip

For YourReference

http://www.tcl.tk

http://tools.cisco.com/squish/39A40

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_script_tcl.html

Embedded Event Manager (EEM)

Embedded Event Manager (EEM)Automation Uses

Embedded Event

Manager (EEM)

Configuration

User Experience

Monitoring & Troubleshooting

Capacity Planning

Auditing & Security


• In-box monitoring of different components of the system via a set of software agents (Event Detectors)

• Event Detectors (ED) notify EEM when an event of interest occurs; based on this, an action can be taken

• Advantages: • Ability to take proactive actions based on configurable events

• Build automation directly into the device

• Reduce network bandwidth by doing local event monitoring

Overview

Embedded Event Manager (EEM)Architecture Overview

Cisco IOS Extremely flexible and powerful

subsystem within Cisco IOS Software

Adapt device behavior and insert custom logic without IOS upgrade

24 Event Detectors (ED) integrated with IOS modules for wide range of system event detection

CLI and Tcl based policy provides consistent programmability interface

Powerful event engine supporting multi-event correlation, advance scheduling and more

Embedded Event Manager (EEM)Event Detectors

EEM 1.0–SNMP ED

–Syslog ED

EEM 2.0–Application ED

–Interface ED

–Counter ED

–Timer ED

–Watchdog ED

EEM 2.1–CLI ED

–None ED

–Object Insertion Removal (OIR) ED

–GOLD ED

EEM 2.2–Embedded Object Tracking (EOT) ED

–Resource ED

–Redundancy framework ED

EEM 2.4–SNMP notification ED

–XML-RPC ED

EEM 3.0–Routing ED

–NetFlow ED

–IP SLA ED

EEM 3.1–SNMP Object ED

EEM 3.2–Neighbor Discovery ED

–Identity ED

–MAC Address (MAT) ED

EEM 4.0–File manipulation for applets

–More parameters passed to CLI ED

–Tighter resource control


An Embedded Event Manager Policy Can:

• Execute a Cisco IOS CLI command and receive the result

• Send a CNS event

• Increment or decrement an EEM counter

• Force a switchover to the standby in a redundant configuration

• Request system information (e.g. SNMP info, crash data, etc.)

• Send an e-mail

• Cause another EEM policy to be executed

• Publish an application specific EEM event

• Reload the box

• Send a customized SNMP trap

• Reply to an SNMP GET/SET request

• Log a message to syslog

Actions

event manager applet lowmem-failover

event snmp oid 1.3.6.1.4.1.9.9.48.1.1.1.6.1 get-type exact entry-op lt entry-val 4194304 poll-interval 10

action 1.0 syslog priority critical msg "Free memory exhausted; current free memory is $_snmp_oid_val bytes; forcing failover"

action 2.0 force-switchover

Embedded Event Manager (EEM) v1.0

• Event Manager applets group together events and an action or list of actions

• Actions are executed in alphabetical order when the event occurs

• This example sends a syslog message to indicate free memory is less than 4 MB, then forces a graceful failover to a redundant CPU

• This proactive failover may prevent reduced performance and a crash

Example: Force a Graceful Failover

event manager applet getIP

event tag restart syslog pattern "LINEPROTO-5-UPDOWN:.*FastEthernet0

.*state to up"

event tag periodic timer watchdog time 86400

trigger

correlate event restart or event periodic

action 1.0 cli command "show int Fa0 | inc Internet address is"

action 2.0 mail to [email protected] from [email protected] server

smtp.cisco.com subject "IP address info" body "IP address is:

$_cli_result"

Embedded Event Manager (EEM) 2.4Example: Multiple Events

The applet will trigger upon seeing either a LINEPROTO-5-UPDOWN syslog message indicating FastEthernet0 has come up, or when the daily watchdog timer pops

The IP address of interface FastEthernet0 will be obtained, then emailed to the interested party

mailto:[email protected]

mailto:[email protected]

event manager applet route-watch

event routing network 10.1.1.0/24 type add protocol ospf

action 001 cli command "enable"

action 002 set done 0

action 003 while $done eq 0

action 004 wait 5

action 005 cli command "ping ip 10.1.1.1"

action 006 regexp "!!!!!" "$_cli_result"

action 007 if $_regexp_result eq 1

action 008 cli command "config t"

action 009 cli command "int Tunnel0"

action 010 cli command "shut"

action 011 cli command "end"

action 012 set done 1

action 013 end

action 014 end

Embedded Event Manager (EEM) 3.0Example: Routing Changes

The applet will trigger when the route 10.1.1.0/24 is learned via OSPF

The applet will try and ping host 10.1.1.1, and when it is successful, it will take down the backup tunnel interface

This applet uses the new EEM 3.0 programmatic applet syntax

event manager applet dump-active-procs

event none

action 001 cli command "enable"

action 002 cli command "show proc cpu sort | exc 0.00"

action 003 file open fd $_none_arg1 w

action 004 file puts fd nonewline $_cli_result

action 005 file close fd

Embedded Event Manager (EEM) 4.0Example: “Multi-pipe” Support

Router#event manager run dump-active-procs flash:active_procs.txt

Router#more flash:active_procs.txt

CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%

PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process

56 231145 38724013 5 0.63% 0.35% 0.29% 0 Ethernet Msec Ti

6 116311 64000 1817 0.31% 0.11% 0.03% 0 Check heaps

3 341 249 1369 0.15% 0.09% 0.09% 0 Exec

The applet will grab all processes that do not have a 0.00% CPU utilization

Next, the applet opens the filename specified in the first argument to the policy

Finally, all of the output from the CLI command is printed to the file


• Available in EEM 2.0 and later

• EEM policies are written in Tcl version 8.3.4

• Policies can do everything that applets can do, and more!

• Cisco provides built-in Tcl namespaces and libraries to facilitate in creating EEM policies

Tcl Policies

::cisco::eem::event_register_syslog pattern ".*UPDOWN.*Serial0/0.* changed state to down"

# We don't require any global variables to be set.

namespace import ::cisco::eem::*

namespace import ::cisco::lib::*

array set arr_einfo [event_reqinfo]

if { $_cerrno != 0 } {

set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" \

$_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]

error $result

}

global slg_msg

set slg_msg $arr_einfo(msg)

set newmsg [format "Primary uplink has gone down: %s" $slg_msg]

action_syslog priority emerg msg $newmsg

if { $_cerrno != 0 } {

set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" \

$_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]

error $result

}

Embedded Event Manager (EEM)Sample Tcl User Policy: Syslog Policy

Register a Syslog

Event to Watch Our

Primary Uplink

Get Event-Specific

Information

Send Our High

Priority Syslog

Message

1. Router#mkdir disk0:/policies

1. Router#copy tftp://172.18.123.33/syslog_policy.tcl

disk0:/policies/syslog_policy.tcl

1. Router#config t

1. Router(config)#event manager directory user policy

disk0:/policies

1. Router(config)#event manager policy

syslog_policy.tcl type user

Embedded Event Manager (EEM)Enabling Tcl Policies

Remove this line to

prevent user-defined

EEM Tcl policies from

running

Converting Applets To Tcl

http://www.marcuscom.com/convert_applet/

http://www.marcuscom.com/convert_applet/

Embedded Event Manager Built-In

• New to EEM 2.4, the available event detector variables and syntax (both Tcl and applet) are available within Cisco IOS

• show event manager detector DETECTOR detailed

Event Detector Documentation

Router#show event manager detector track detailed

No. Name Version Node Type

1 track 01.00 node0/0 RP

Tcl Configuration Syntax:

::cisco::eem::event_register_track

[tag <tag-val>]

<track-number> [state {up | down | any}]

[queue_priority {normal | low | high | last}]

[maxrun <sec.msec>] [nice {0 | 1}]

Tcl event_reqinfo Array Names:

event_id

event_type

event_type_string

event_pub_time

event_pub_sec

event_pub_msec

event_severity

number

state


• Use the show event manager policy available system command to get a list of available System Policies for a given IOS release

• System Policies live under tmpsys:/lib/tcl/eem_scripts and can be viewed with the more command

Cisco Built-In Policies


• Cisco scripts run in unrestricted Tcl mode

• User scripts run in safe-Tcl mode

• Allows Cisco to disable/customize specific Tcl commands

• Provides restrictions to ensure system integrity

• Built-in throttle that periodically suspends execution

• User scripting disabled by disallowing command:

• event manager directory user …

• All config commands are privileged global config mode

• To control the user that runs an EEM policy, use:

• event manager session cli username <username>

• Username sent to TACACS+ for command authorization

• This can be bypassed on a per-policy basis as of EEM 3.1

Security

Embedded Event Manager (EEM)Version Comparison

EEM Version 2.1 2.1.5 2.2/2.3 2.4 3.0 3.1 3.2 4.0

Cisco IOS Version Introduced

12.3(14)T1,

12.2(28)SBC,

12.2(18)SXF5,

12.2(33)SRA

12.2(18)SXF4

(IOS with

Modularity)

12.4(2)T,

12.2(33)SRB1

12.4(20)T,

12.2(40)SE,

12.2(40)SG

12.4(22)T

12.2(50)SY15.0(1)M

12.2(52)SE

15.1(3)T15.2(2)T

Syslog, SNMP EDs X X X X X X X X

Syslog, SNMP Actions X X X X X X X X

Watchdog, Counter, Interface Counter, Timer,

Application-Specific EDsX X X X X X X X

Counter Modification,

System Info, Email ActionsX X X X X X X X

OIR, CLI EDs X X X X X X X X

User and System Tcl Policies X X X X X X X X

GOLD, System Manager, WDSysMon EDs X X X X X X X

Resource, RF, EOT EDs X X X X X X

Multiple Event Support, SNMP Proxy, XML RPC EDs X X X X X

Programmatic Applets, NetFlow,

IP SLAs, Routing EDsX X X X

SNMP GET/SET Interception, AAA Bypass, Tcl CLI

EnhancementsX X X

MAC Notification ED, Neighbor Discovery ED X X

File support for applets, enhanced CLI variables,

resource controlX

For YourReference

EEM On Other PlatformsPlatform EEM Support

IOS-XR Platforms Support for EEM Tcl. Same Tcl syntax as IOS with a subset of the event

detectors. Full sync is planned for XR 5.3.

NX-OS Platforms Support for distinct EEM applet syntax only. More event detectors

planned for NX-OS 7.x.

ASA Limited EEM applet support introduced in 9.2. Only action is to run CLI

commands.

For YourReference


• Embedded Event Manager overview:• http://tools.cisco.com/squish/e8837

• Writing EEM policies using the CLI (applets):• http://tools.cisco.com/squish/fDCdd

• Writing EEM policies using Tcl:• http://tools.cisco.com/squish/9fc09

References

For YourReference

http://tools.cisco.com/squish/e8837

http://tools.cisco.com/squish/fDCdd

http://tools.cisco.com/squish/9fc09


• How to send customizable traps using EEM 3.0• https://supportforums.cisco.com/docs/DOC-11745

• How to run an EEM policy whenever a device boots• https://supportforums.cisco.com/docs/DOC-12612

• Embedded Event Manager 2.4 enhancements• http://tools.cisco.com/squish/1d5F4

• Support for writing EEM policies available via the Cisco Support Community Network Management Forum• https://supportforums.cisco.com/community/netpro/network-infrastructure/network-

management

References (Cont.)

For YourReference

https://supportforums.cisco.com/docs/DOC-11745


http://tools.cisco.com/squish/1d5F4

https://supportforums.cisco.com/community/netpro/network-infrastructure/network-management

• “Living” document at

https://supportforums.cis

co.com/document/48891/

cisco-eem-best-practices

• Contains helpful tips and

tricks to get the most out

of EEM

• Great supplement to the

Cisco.com docs

EEM Best Practices Doc

https://supportforums.cisco.com/document/48891/cisco-eem-best-practices

Cisco Beyond Has a New Home

Discussion forums

Ask questions, get answers

Video tutorials

Script repositoryOver 130+ open source scripts,

learn by example

http://www.cisco.com/go/ciscobeyond

http://www.cisco.com/go/ciscobeyond

Embedded Syslog Manager (ESM)

Embedded Syslog Manager (ESM)Automation Uses

Embedded Syslog

Manager (ESM)

User Experience

Monitoring & Trouble-shooting

Auditing &

Security

Embedded Syslog Manager (ESM)Overview

Syslog ServerConsole TTYBuffer

ESM

Modules

Available from: Cisco IOS 12.3(2)T, 12.2(25)S

Post-process syslog messages with selected ESM filters (proactive rules-based analysis)

User definable scripting (Tcl)

New message queue in parallel with classic syslog

Available in images with Tcl 8.3.4

Embedded Syslog Manager (ESM)Configuration

Router(config)#logging filter <URL> [position] [args args]

Router(config)#logging buffered filtered

Router(config)#logging host 10.10.10.10 filtered [stream_id]

Router(config)#logging filter disk0:/drop.tcl args LINK 5

Where:– <URL> is a Cisco IOS path to an ESM filter Tcl script

– [position] is an optional order number (if multiple filters are defined)

– [args] are optional command line arguments to pass to the filter script

Specify which logging destinations should be filtered– stream_id can be set in the filter script to route certain events to certain destinations

Embedded Syslog Manager (ESM)Example: Selective Filtering – 1/2

Configuration Fetch

Cisco Info Center

Cisco Prime Infrastructure

Router Sends SYS-*-5-CONFIG_IMessage

Certain syslog messages may be interesting to some syslog receivers but not others

Filtering should happen as close to the device as possible to reduce load on the network and on the syslog receivers

Description: – Allow all syslog messages to go to a

central event correlation system– Only send events about

configuration changes to the config archive server

Router(config)#logging filter disk0:/config_chg.tcl

Router(config)#logging host ipv6 fd04:853d:25c3:d24e::39 filtered

Router(config)#logging host 172.18.123.81

Embedded Syslog Manager (ESM) Example: Selective Filtering – 2/2

Filtered config

archive server

destination

Unfiltered event

correlation server

destination# Embedded Syslog Manager, Only send CONFIG and CONFIG_I syslog messages

#

# Namespace: global

if {[string compare -nocase "CONFIG_I" $::mnemonic] == 0 ||

[string compare -nocase "CONFIG" $::mnemonic] == 0} {

return $::orig_msg

}

return ""Only config change

messages are sent

on using this filter


• Message routing: categorize messages using criteria other than facility or severity

• Example: send all spanning tree messages to a separate syslog server

• SMTP-based email alerts: capability for notifications using TCP to external servers, such as TCP-based syslog collectors or Simple Mail Transfer Protocol (SMTP) servers

• Example: configuration changes sent to administrators via an email message

• Your example… the possibilities are endless!

Other Examples


• ESM filters cannot be applied to SNMP history logs (i.e., filters will not be applied to messages logged from logging history or snmp-server enable traps syslog)

• Filtered destinations no longer receive buginf messages (e.g., debugging output)

• All filters must be written in Tcl

Caveats


• Embedded Syslog Manager Guide:• http://tools.cisco.com/squish/32395

For YourReference


Embedded Packet Capture (EPC)

Embedded Packet Capture (EPC) Automation UsesAutomation Uses



Auditing & Security

PerformanceAnalysis


• Capture packets flowing from, to, or through a given device

• Captures can be filtered using ACLs

• Captured packets can be exported for analysis in sniffer programs such as Wireshark

• CEF and process switched flows are supported

• IPv4 and IPv6 are supported

Overview

Available from: Cisco IOS 12.4(20)T and 12.2(33)SRE (7200 only)

Source: http://tools.cisco.com/squish/64E2C

http://tools.cisco.com/squish/64E2C

Embedded Packet Capture (EPC)Configuration – 1/3

• Define a Capture Point

Router#monitor capture point ip cef cappnt GigabitEthernet0/0 both

Switching Path

(Either cef or

process-switched)

Capture Point

Name

Interface on Which

to Capture (or All)

Traffic Flow

Direction (In, Out,

or Both)

cef cappnt GigabitEthernet0/0 both

Protocol (Either ip

for IPv4 or ipv6 for

IPv6)

ip


• Define a Capture Buffer

Configuration – 2/3

Router#monitor capture buffer capbuf size 512 max-size 1518 circular

Capture Buffer

Name

Router#monitor capture buffer capbuf limit duration 600

Maximum In-

Memory Size in

Kilobytes (KB)

Maximum Packet

Slice Size

Buffer Type (linear

Locks When Full,

circular Wraps)

Optionally limit the packets captured

By time

By number of packets captured

Drop every Nth packet

Limit packet rate

capbuf 512 1518 circular


• Optionally define an access-list for filtering (e.g. capture WWW traffic only)

• Configure the ACL on the buffer

• Associate the capture buffer to the capture point

Configuration – 3/3

Router(config)#access-list 101 permit tcp any any eq 80

Router(config)#access-list 101 permit tcp any eq 80 any

Router#monitor capture buffer capbuf filter access-list 101

Router#monitor capture point associate cappnt capbuf


• Start the capture

• If the buffer is linear, the capture will run until the buffer is full or until the limiting criterion is met

• The capture can also be manually stopped

Using EPC – 1/4

Router#monitor capture point start cappnt

Router#monitor capture point stop cappnt


• The contents of the buffer can be viewed on the device

• If the buffer is linear, the capture will run until the buffer is full or until the limiting criterion is met

• The capture can also be manually stopped

• Or the buffer can be exported to a network server (or local file) in PCAP format for more detailed analysis

Using EPC – 2/4

Router#show monitor capture buffer capbuf dump

12:55:47.942 EDT Apr 2 2010 : IPv4 CEF Turbo : Gi0/0 None

6A89A4F0: 00101433 D4000017 085A1B16 08004500 ...3T....Z....E.

6A89A500: 002851A4 40003F06 05800E20 64210E20 .(Q$@.?.... d!.

6A89A510: 644BDE23 00171ED3 5BAAF4EC 4C215010 dK^#...S[*tlL!P.

6A89A520: FFFF3162 00000000 00000000 00 ..1b.........

Router#monitor buffer export capbuf tftp://172.18.123.33/http.pcap


• …Or decode the buffer headers on the device itself using EEM

• Download the “Decode EPC Headers” policy from Cisco Beyond at http://tools.cisco.com/squish/Affd

Using EPC – 3/4

Router#show monitor capture buffer capbuf decode

01:27:54.285 EDT Oct 11 2010 : IPv6 CEF : Fa0/0 None

IPv6:

Dest MAC : 00:10:14:33:D4:00 Src MAC : 00:17:08:5A:1B:16

Dest IP : 2003:a00::2 Src IP : 2003:a00::1

01:27:54.285 EDT Oct 11 2010 : IPv6 CEF : Fa0/0 None

IPv6:

Dest MAC : 00:10:14:33:D4:00 Src MAC : 00:17:08:5A:1B:16

Dest IP : 2003:a00::2 Src IP : 2003:a00::1

Argument

Inserted by EEM

http://tools.cisco.com/squish/Affd

Embedded Packet Capture (EPC)Using EPC – 4/4


• Make sure there is enough free memory to hold the maximum configured capture buffer size

• In 12.4T, capture buffers could only be exported to network servers

• Local export was made available in 15.0

• Jumbo frame support (packets over 1024 bytes) was added in 15.0

• Access-list filtering does not match on packets generated by the device itself

• MPLS frames are not currently captured

• Multicast frames are only captured on ingress

Caveats


• Cisco Support Communities tech tip on using EPC

• https://supportforums.cisco.com/docs/DOC-5799

• A similar feature exists on the 6500 and 7600 called “Mini Protocol Analyzer”

• http://tools.cisco.com/squish/4F4eD

• Cisco Support Communities article on Mini Protocol Analyzer

• https://supportforums.cisco.com/docs/DOC-5814

Additional References

For YourReference


http://tools.cisco.com/squish/4F4eD


Configuration Archive and Rollback

Configuration Archive and RollbackAutomation Uses

Configuration Archive and

Rollback

Configuration

Auditing & Security

User Experience

Configuration Archive and Rollback Overview

• Config archive provides a way of storing and managing multiple Cisco IOS configuration versions

• Config rollback provides a way of replacing the current running config with any configuration file

• Hooks exist for comparing configs, and viewing context-sensitive diffs

• Questionable configuration changes can be evaluated and automatically backed out

• Rollbacks are done efficiently and safely by only reapplying commands that have changed


Reference: http://tools.cisco.com/squish/0F4a6

http://tools.cisco.com/squish/0F4a6

archive

path disk0:/configs

maximum 14

time-period 60

write-memory

log config

notify syslog

Router#archive config

Config Archive and RollbackSaving Configuration Files

Path to Store Archived Configs(This Can Be a Network

URL as Well)

Special Values $h and $t Will Be Replaced with the Device’s

Hostname and the CurrentTime Respectively

Maximum Number of Configs to Archive(Between 1 and 14)

Snapshot Config Every Hour(Time-Period Is in Minutes)

Log All Config Changes(Including the ExactCommand Entered)

Router#copy running-config <destination-url>

On the Fly

Archive Config When

write mem Is Executed

The Old Way

Ad-Hoc Snapshots Can Also Be Taken

Router#show archive

There are currently 2 archive configurations saved.

The next archive file will be named disk0:config-archive-3

Archive # Name

0

1 disk0:config-archive-1

2 disk0:config-archive-2 <- Most Recent

3

4

5

6

7

8

9

10

11

12

13

14

Configuration ArchiveViewing Archived Configurations

Router#config t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#snmp-server community public ro

Router(config)#snmp-server community private rw

Router(config)#end

Router#config replace disk0:config-archive-1

This will apply all necessary additions and deletions

to replace the current running configuration with the

contents of the specified configuration file, which is

assumed to be a complete configuration, not a partial

configuration. Enter Y if you are sure you want to proceed. ? [no]: yes

Total number of passes: 0

Rollback Done

Configuration Replace and Rollback Configuration


Configuration Rollback Confirmed Change

configure replace target-url [nolock] [list]

[force] [ignorecase] [revert trigger] [error]

[timer minutes]


Reference: http://tools.cisco.com/squish/00746

Add the error– Reverts to the original configuration upon error

New in 12.4(20)T, 12.2(33)SRC, 12.2(33)SB, 12.2(33)SXI

revert trigger timer = time– Reverts to the original configuration if specified time elapses


Configuration Rollback Confirmed Change

configure revert {now | timer {minutes | idle minutes}}

This Is the Only Way to Change the Time from Config Replace

If No Activity for X Minutes, Revert to the Old Config

Router# config terminal revert time 2

Rollback Confirmed Change: Backing up current running config to flash:jclarke-1


Router(config)# hostname Router1

Router1(config)#

(time passes…)

Router(config)#


Reference: http://tools.cisco.com/squish/00746

Critical config change to a remote router may result in loss of connectivity, requiring a reload …


Contextual Configuration Diffs

• View line-by-line comparison of two configuration revisions

• Compare order-sensitive data such as ACLs

• Output lists configuration lines that have been added, removed, or modifiedRouter#show archive config differences nvram:startup-config system:running-

config

Contextual Config Diffs:

+ip http server

+tacacs-server host 172.18.123.33

+tacacs-server directed-request

-no ip http server

-logging 192.168.0.254

Lines in Running-ConfigNot in Startup-Config

Lines in Startup-Config Not in Running Config


Configuration Archive and Rollback

• Free memory must be large enough to hold the current running configuration as well as the replacement configuration

• Physical interface statements cannot be removed from a running configuration

• Certain Cisco IOS configuration commands cannot be fully removed unless the router is reloaded

• Archiving configurations via TFTP is a security risk; opt for FTP or RCP instead

Caveats

Data Collection Manager 2.0

Data Collection Manager 2.0Automation Uses

Data Collection Manager

2.0

Capacity Planning


Diagnostics

Performance Analysis

Data Collection Manager 2.0• Provides a mechanism to collect numerous SNMP object values or CLI command

output at once

• Save or transfer data in bulk to prevent loss during connectivity outages

• Supports proxy collection (useful in NAT scenarios)

• No NMS required!• Data can be analyzed locally• Periodic polling is not required

• Bulk object data can be transferred in binary or ASCII format using a variety of protocols• TFTP• FTP• SCP• Flexible NetFlow

Available from: Cisco IOS 15.2(2)TFeature Guide: http://tools.cisco.com/squish/208ee

http://tools.cisco.com/squish/208ee

Data Collection Manager 2.0Collect Memory Data From SNMP

• Add memory pool objects to the collection list

• Specify all instances to poll, and poll every one minute

• Configure the transfer mechanism

bulkstat data my-memory-objs type snmp

object 1.3.6.1.4.1.9.9.48.1.1.1.2

object 1.3.6.1.4.1.9.9.48.1.1.1.5

object 1.3.6.1.4.1.9.9.48.1.1.1.6

bulkstat instance my-memory-objs type snmp

range start 1 end 5

bulkstat data-group my-memory-group

interval polling 1

collect type snmp data my-memory-objs instance my-memory-objs

bulkstat profile my-memory-profile

file transfer url primary flash:/bulk-memory-data/

file size 10240

interval transfer raw 60

data-group my-memory-group

enable

ciscoMemoryPoolName

ciscoMemoryPoolUsed

ciscoMemoryPoolFree

Instances 1 Through 5

Correspond to All Built-In

Memory Pools (Processor

Through Multibus)

Data Collection Manager 2.0The Results

my-memory-schema: 1303505344, .1, Processor, 49231448, 82409480

my-memory-schema: 1303505344, .2, I/O, 5470528, 7112384




my-memory-schema: 1303505464, .2, I/O, 7112384, 5470528, I/O



Global: NE100, 20110422, 205303, 1997145, 2%, 2%, 2%

Schema-def GLOBAL "%s, %s, %u, %u, %u, %u, %u"

hostname date timeofday sysuptime cpu5min cpu1min cpu5sec

Schema-def my-memory-group "%u, %s, %s, %u, %u"

epochtime instanceOID 1.3.6.1.4.1.9.9.48.1.1.1.2 1.3.6.1.4.1.9.9.48.1.1.1.5

1.3.6.1.4.1.9.9.48.1.1.1.6

Schema Format (%s

Means “String” and

%u Means

“Unsigned Integer”)

Each Block of Two Pools

Is Taken One Minute

Apart

Each Row Shows Instance

Number, Pool Name, Used

Memory, and Free Memory


• DCM as a proxy to other SNMP devices

• Polls devices using SNMP and exports using DCM supported protocols

DCM and NAT

NMS Application

Customer B

Customer A

SNMP

SNMP

DCM Export

DCM Export


• Some objects can be added by name (e.g. ifTable objects like ifDescr, ifInOctets, etc.).

• Most objects must be added by OID

• SNMP Object Navigator provides a great way to translate MIB names to OIDs

• http://tools.cisco.com/squish/7f7ef

MIB Objects vs. Names

http://tools.cisco.com/squish/7f7ef

Data Collection Manager 2.0Collect IPSLA Data From CLI

• Add the IPSLA stats command

• Run the command every 60 seconds to collect the results

• Configure the transfer mechanism

bulkstat data my-ipsla type command

add cmd show ip sla stat 1 det

bulkstat data-group my-ipsla-group

interval polling 60

collect type command data my-ipsla

bulkstat profile my-ipsla-profile

file transfer url primary flash:/my-ipsla-data/

interval transfer raw 60

data-group my-ipsla-group

enable

Data Collection Manager 2.0The Results

GLOBAL: NE100, 20130412, 173059, 176595, 0%, 0%, 0%

my-ipsla-group: 1365802259, "show ip sla stat 1 det", 1, "

IPSLAs Latest Operation Statistics

IPSLA operation id: 1

Latest RTT: 1 milliseconds

Latest operation start time: 17:30:51 EDT Fri Apr 12 2013

Latest operation return code: OK

Over thresholds occurred: FALSE

Number of successes: 4

Number of failures: 0

Operation time to live: Forever

Operational state of entry: Active

Last time this entry was reset: Never

"

Schema-def GLOBAL "%s, %s, %u, %u, %u, %u, %u"

hostname date timeofday sysuptime cpu5min cpu1min cpu5sec

Schema-def my-ipsla-group "%u, %s, %u, %s"

epochtime Command Command-Output-Buffer-Count Command-Output-Buffer-Content

One Platform Kit (onePK)

One Platform Kit (onePK)Automation Uses

One Platform

Kit (onePK)

Provisioning

User Experience


Capacity Planning

Data Customization

One Platform Kit (onePK)

• OnePK is a device-level API for Cisco’s core operating systems

• Enables one to create applications that run on or near Cisco devices

• Provides capabilities to…

• Innovate

• Extend

• Automate

• Customize

• Enhance

• Modify

• …the default behavior of Cisco devices

Overview

Hardware Silicon

IOS | IOS-XE | IOS-XR

Cisco onePK API’s

ApplicationsP

hysic

al D

evic

eOnePK Architecture

DATA PATH

POLICY

ROUTING

ELEMENT

DISCOVERY

UTILITY

DEVELOPER

Packet delivery services to application – e.g. copy, punt, inject

Filtering (NBAR), classification (class-map, policy-map),

actions (marking, policing, queuing), applying policy to interfaces

Read RIB Routes, add/remove routes, receive RIB notifications

CPU/Memory statistics, interface statistics, element and interface

events

Layer 3 topology and local service discovery

Syslog event and path tracing capability

Debug capability and CLI extension (invoke CLI from application)

OnePK Service Sets

C Java Python Rest

Eclipse IDE

NetBeans IDE

Other IDE

OnePK

Supports applications written in C, Java, Python,

or any language that supports REST.

Combine C API with SWIG (http://www.swig.org)

to build bindings in other languages.

IDE = Integrated Development

Environment

Basically what the app developer uses to

develop their programs

**

**

**

Application Development

http://www.swig.org

Router/Switch

ServerService Blade

Runs locally on the device

Router/Switch

Runs on a remote serverRuns on a service blade

OnePK

APPAPP

APP OnePK OnePK

Application Deployment Models

Configuring onePK

Router#show run | section onep

onep

datapath transport gre sender-id 10 interface

GigabitEthernet0/1

transport type tls disable-remotecert-validation

history size 65535 purge old

service set vty

Data Path Service Set

Configuration

History useful for debugging

Optional Service Sets

Okay, Now What…?… Routing For Dollars

router ospf 1

redistribute application <app name> ...

The Topology-Aware Network

1. Connect to a device running the Topology-Aware Network app

2. Issue the custom, “topology send” command

3. Router sends current topology image to user

The whole process takes a few seconds!

TAN onePK app

Router#topology send [email protected]

And Add Location…

All-in-One VM Environment Virtual IOS routers

All onePK SDKs,

including docs,

tutorials, and sample

apps

Check out the onePK DevNet portal to get started

http://developer.cisco.com/web/onepk

http://developer.cisco.com/web/onepk

Agenda

Introduction


Real-World Examples

Key Takeaways

Diagnosing Transient Problems

• Problem: You are seeing VPN tunnel drops on your VPN head-end router at 3:00 am every day. The tunnels continue to flap until the physical interface is reset. You want to analyze the traffic on the wire at that time.

Diagnosing Transient ProblemsDoing Things the Long Way


• Solution: Use Embedded Packet Capture together with Embedded Event Manager to start a capture session at 3:00 am. When the VPN tunnels first go down, stop the capture, and email the binary capture file as a MIME attachment for analysis at a reasonable hour.

Troubleshooting Transient Problems

• Setup EPC to use a circular buffer, and run forever

• EEM will take care of stopping the capture

Configuring EPC

Router#monitor capture point ip cef cappnt Serial2/0 both

Router#monitor capture buffer capbuf size 512 max-size 1518 circular

Router#monitor capture point associate cappnt capbuf

::cisco::eem::event_register_timer cron cron_entry "55 2 * * *"



if { [catch {cli_open} result] } {

error "Failed to open CLI session: '$result'" $errorInfo

}

array set cliarr $result

if { [catch {cli_exec $cliarr(fd) "enable"} result] } {

error "Failed to enable CLI session: '$result'" $errorInfo

}

if { [catch {cli_exec $cliarr(fd) "monitor capture point start cappnt"} result] } {

error "Failed to start packet capture: '$result'" $errorInfo

}

catch {cli_close $cliarr(fd) $cliarr(tty_id)} result

Troubleshooting Transient ProblemsStarting the Capture With EEM

Initiate the Packet

Capture

Start the Capture Five

Minutes Before the

Event

::cisco::eem::event_register_syslog pattern "%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac

verify failed"



if { [catch {cli_open} result] } {

error "Failed to open CLI session: '$result'" $errorInfo

}

array set cliarr $result

if { [catch {cli_exec $cliarr(fd) "enable"} result] } {

error "Failed to enable CLI session: '$result'" $errorInfo

}

if { [catch {cli_exec $cliarr(fd) "monitor capture point stop cappnt"} result] } {

error "Failed to start packet capture: '$result'" $errorInfo

}

Troubleshooting Transient ProblemsStopping the Capture With EEM

Stop the Capture

React to a Syslog

Indicating that the

Tunnels Have Detected

a Problem

if { [catch {cli_exec $cliarr(fd) "monitor capture buffer capbuf export flash:vpn.pcap"} result] } {

error "Failed to export capture buffer: '$result'" $errorInfo

}

set email_body_pre "Mailservername: $_email_server

From: $_email_from

To: $_email_to

Cc:

Subject: Email from Router $_router_name

MIME-Version: 1.0

Content-type: multipart/mixed; boundary=\"EEM_email_boundary\"

\n--EEM_email_boundary\n

\n--EEM_email_boundary

Content-Type: application/octet-stream

Content-Transfer-Encoding: Base64

Content-Disposition: attachment; filename=\"vpn.pcap\"\n\n"

if [catch {open "flash:vpn.pcap"} result] {

error "Failed to open flash:vpn.pcap: '$result'" $errorInfo

}

set fd $result

fconfigure $fd –translation binary

set email_b64 [::base64::encode [read $fd]]

close $fd

set email_body_mime "\n--EEM_email_boundary--"

set email_body [format "%s%s%s" $email_body_pre $email_b64 $email_body_mime]

if [catch {smtp_send_email $email_body} result] {

error "Failed to send email: '$result'" $errorInfo

}

Troubleshooting Transient ProblemsSend the Capture File As an Email

Export the Capture

to a File on Flash

Create an Email with

a MIME Header

Send the Email

Adding New SNMP MIB Support

• Problem: We want to be able to monitor and graph information about the number of DHCP leases our IOS-based DHCP server has handed out. However, there is no SNMP object that will give us this count.

http://tools.cisco.com/squish/546e0


• Solution: The EXPRESSION-MIB will give the capability to allow inserting custom data into the value of an SNMP MIB object

– EXPRESSION-MIB can be configured using SNMP directly since 12.0(5)T.

– Initially Cisco Implementation was based on OID 1.3.6.1.4.1.9.10.22 but current Cisco implementation is based on RFC2982-MIB, OID 1.3.6.1.2.1.90.

– In 12.4(20)T EXPRESSION-MIB feature is enhanced to add CLIs to configure expressions.

• EXPRESSION-MIB plus the Embedded Event Manager provide a way to gather data only available via Command Line Interface (CLI), even if there is no MIB support currently available

http://tools.cisco.com/squish/546e0

Grab the output of the show command(s) and store them in the EXPRESSION-MIB

1

Adding New SNMP MIB SupportBackground

SNMP

ManagerSNMP

Agent

2EXPRESSION-

MIB/RFC2982 support

CustomMIB EEM

policy

3

Polling request on our

“Custom-MIB” [MIB Value -

expExpression]

4

5

Adding New SNMP MIB SupportInstalling the EASy Package

Router#easy_installer flash:/easy/custom_mib.tar flash:/easy/custom-mib

The EASy PREFIX is already set to flash:/easy.

Do you want to use flash:/easy/custom-mib as the new EASy package PREFIX? (y/n) [n]

----------------------------------------------------------------

Configure and Install EASy Package 'custom-mib-1.1'

----------------------------------------------------------------

1. Display Package Description

2. Configure Package Parameters

3. Deploy Package Policies

4. Verify Installed Package

5. Exit

Enter option:

Router#sh run | inc easy

alias exec easy_installer tclsh flash:/easy/easy_installer.tcl

Adding New SNMP MIB SupportInstalling the EASY Package

The package is able to extract a value from a show command using a configured regular expression,

and make that value accessible via SNMP using the EXPRESSION-MIB or RFC 2982 MIB depending

on the IOS running.

Hit enter to continue...

Configure EEM Environment Variables for 'custom-mib-1.1'

Enter the frequency with which to run the show command [60]:

Enter the show command to execute [show ip dhcp pool CORP | inc Leased]:

Enter the regular expression to extract the custom value [Leased addresses\s+:\s+(\d+)]:

Enter message to send via syslog if the expression is found [Expression found]:

Enter a local IP address to poll with SNMP [10.48.71.24]:

Enter a read-write SNMP community for this device [private]:

...

…

INFO: Package custom-mib-1.1 successfully installed.

Enter option: 1 [Display Package Description]

Enter option: 2 [Configure Package Parameters]

Enter option: 3 [Deploy Package Policies]

!! if you want to change any parameter, you might

need to reinstall the package or manually modify

the environment variable and run “event manager

update user policy name POLICY_NAME”


Verifying the Installation

Router#easy_installer --list

EASy packages installed:

custom-mib-1.1 Make a custom value accessible via SNMP

Hit enter to continue...

Router#easy_installer --uninstall --prefix flash:/easy/custom-mib

--pkgname custom-mib

Uninstalling custom-mib...DONE!

INFO: Uninstall of custom-mib completed successfully.

Listing the installed packages

Uninstalling the package


Verifying the Installation

Router#sh run | inc envir

event manager environment __easy_PREFIX flash:/easy/custom-mib1

event manager environment countdown_entry 60

event manager environment match_cmd show ip dhcp pool CORP | inc Leased

event manager environment match_pattern Leased addresses\s+:\s+(\d+)

event manager environment nok_msg Expression found

event manager environment ip_address 10.48.71.24

event manager environment rw_community private

event manager environment custom-mib_mode SNMP_EXPRESSION

Router# show event manager policy registered

No. Class Type Event Type Trap TimeRegistered Name

1 script user timer watchdog Off Tue Apr 16 .. tm_customMIB_SNMP_ExpressionMIB.tcl

name {watchdog} time 60.000

nice 0 queue-priority normal maxrun 240.000 scheduler rp_primary

Verifying the variables

Verifying registered scripts

via CLI - show management expression

via SNMP - Custom-MIB OID is customized, indexed by the owner and Expression name

NMS% snmpwalk -c public -v 2c Router 1.3.6.1.2.1.90

SNMPv2-SMI::mib-2.90.1.2.1.1.3.5.99.105.115.99.111.7.99.117.115.116.111.109.49 = STRING: "50"

SNMPv2-SMI::mib-2.90.1.2.1.1.4.5.99.105.115.99.111.7.99.117.115.116.111.109.49 = INTEGER: 1

SNMPv2-SMI::mib-2.90.1.2.1.1.5.5.99.105.115.99.111.7.99.117.115.116.111.109.49 = ""


SNMPv2-SMI::mib-2.90.1.2.1.1.7.5.99.105.115.99.111.7.99.117.115.116.111.109.49 = OID: SNMPv2-SMI::zeroDotZero

SNMPv2-SMI::mib-2.90.1.2.1.1.8.5.99.105.115.99.111.7.99.117.115.116.111.109.49 = Counter32: 0


SNMPv2-SMI::mib-2.90.1.3.1.1.2.5.99.105.115.99.111.7.99.117.115.116.111.109.49.0.0.0 = Counter32: 50

Router#sh ip dhcp pool CORP | inc Leased

Leased addresses : 50

Current index IP address range

Leased addresses

Router#

Adding New MIB Objects to IOSPolling the New Object

1.3.6.1.2.1.90.1.2.1.1.3.5.99.105.115.99.111.7.99.117.115.116.111.109.49$exp_owner=cisco(5) $exp_name=custom1(7)

length($exp_name)length($exp_owner)

Read-Only community string Hostname or IP address of our

device

expExpression

1.3.6.1.2.1.90.1.2.1.1.3

expValueCounter32Val

1.3.6.1.2.1.90.1.3.1.1.2

Customizing Syslog Messages

• Problem: A service provider has a customer that would like to be notified when the URL filtering policies configured on their leased equipment block a specific site. Only this customer is in Argentina, and they would like to see the syslog and email notifications in Spanish.


1. Match the specific message type to be translated and extract the variable parameters

2. Insert the parameters into the new message and send it to the customer’s syslog destination

3. Format the syslog output into an email message and send that to the customer’s Network Operations Team

4. Pass the untranslated message to the SP’s syslog destination

Translating Text and Enhancing Delivery

Managing Syslog Events

• Solution: Use Embedded Syslog Manager to intercept the outgoing syslog messages and modify the message as it goes to the customer’s syslog server. The modified message will be translated into Spanish. Additionally, ESM will send a summary email in Spanish based on the original syslog.


Customer’s NOC

SP’s NOC

Router Sends URLF-4-SITE_BLOCKEDMessage

Spanish version


• Extract parameters from the URLF-4-SITE_BLOCKED message and insert them into the translated message

Translating Syslogs – The Code

set msg_args [split $::msg_args]

set fw_policy [lindex $msg_args 0]

set url [lindex $msg_args 1]

set source_ip [lindex $msg_args 2]

set source_port [lindex $msg_args 3]

set dest_ip [lindex $msg_args 4]

set dest_port [lindex $msg_args 5]

if { [regexp {Tracing the route to ([A-Za-z._-]+)} [exec traceroute ip $source_ip timeout 1

probe 1 ttl 1 1] match regex_result] } {

set hostinfo $regex_result

} else {

set hostinfo "\[No disponible]"

}

set ::orig_msg [format "\n%s: Se ha denegado el acceso http al sitio '%s' (IP %s) al

usuario '%s' (IP %s)" $::timestamp $url $dest_ip $hostinfo $source_ip]


• Send a localized email summary of the syslog event to the customer’s NOC

Translating Syslogs – The Code (cont.)

set custom_msg [format "\n%s: Se ha denegado el acceso http al sitio '%s' (IP %s) al

usuario '%s' (IP %s)" $::timestamp $url $dest_ip $hostinfo $source_ip]

# Mail Form (Subject and Body)

set email_subject "Politica de Filtrado URL: Router $::hostname ha detectado una violacion

en las Politicas de Seguridad Corporativas”

set email_body [format "%s" "Reporte :”]

set email_body [format "%s\n\n%s" "$email_body"

"********************************************************************************"]

set email_body [format "%s\n\n%s" "$email_body" "Detalle de Evento"]

set email_body [format "%s\n\n%s" "$email_body"

"********************************************************************************"]

set email_body [format "%s\n%s" "$email_body" "$custom_msg”]

email::sendmessage $::cli_args $email_subject $email_body


• Define the ESM filter• logging filter flash:/customer_trans_es.tcl args

[email protected]

• Add the customer’s syslog server as a logging host, and pass all messages through the translation filter• logging host 172.18.123.33 filtered

• Add the SP’s syslog server as an unfiltered destination• logging 192.168.131.3

Translating Syslogs – Configuring the Router

Router#show logging

…

Filter modules:

flash:/customer_trans_es.tcl args [email protected]

Trap logging: level debugging, 103 message lines logged

Logging to 192.168.131.3 (udp port 514, audit disabled), 24 message

lines logged, xml disabled,

filtering disabled

Logging to 172.18.123.33 (udp port 514, audit disabled), 24 message

lines logged, xml disabled,

filtering enabled


Verifying the Router Configuration

Translating Syslogs

Applying Configuration Changes

• Problem: Applying configuration changes to remote routers can cause lockouts; when console access is not available, someone needs to reload these devices


• Applying a configuration change such as an access-list could result in being locked out of the router

• If console access is available, configuration changes can be deployed using the console to avoid network problems

• If no out-of-band access is available, then a reload* is necessary to undo the problematic config change

Applying a Change To a Remote Router

* Or reload {at|in}


Doing Things the Hard Way

Now the Router Must Be Reloaded

Access-List Change


• Solution: Use config rollback to automatically back out the config change after a certain amount of time

Using Config Rollback

• Replace the running configuration with the latest good archive after two minutes unless the change being made is confirmed

Router#show archive

There are currently 3 archive configurations saved.

The next archive file will be named disk0:/config-archive-4

Archive # Name

0

1 disk0:/config-archive-1

2 disk0:/config-archive-2

3 disk0:/config-archive-3 <- Most Recent

Router#config replace disk0:/config-archive-3 time 2


• Apply the potentially problematic configuration change

Router#config t


Router(config)#int pos4/0

Router(config-if)#ip access-group 113 in


• If the configuration was successful, apply the changes• Router#config confirm

• If the config changes caused the user to be locked out, the router will automatically revert to the last saved archive configuration after two minutes, and connectivity will be restored

Agenda

Introduction


Real-World Examples

Key Takeaways

Key Takeaways

• The Tcl 8.3.4 interpreter embedded into Cisco IOS can be used for many purposes- Custom command creation

- Automated device configuration- Building other embedded tools

• Embedded Event Manager provides a way for the router to monitor itself for potential problems, and act accordingly

• Use the Embedded Syslog Manager to filter and prioritize critical log messages

• The Embedded Packet Capture tool enables one to capture data that passes though, comes from, or comes to a device

Key Takeaways

• Config archive and rollback provides configuration change history as well as the ability to back out problem configuration changes

• Data Collection Manager 2.0 streamlines bulk SNMP and CLI data retrieval and export

• OnePK provides a consistent API across multiple operating systems for building custom features and robust access to network subsystems

• Use the scripts, features and examples to build operations and tools that work for you

• All scripts from this session are available online at http://www.marcuscom.com/BRKNMS-3021.zip

http://www.marcuscom.com/BRKNMS-3021.zip

Join Cisco Support Communities!

• Free for anyone with Cisco.com registration

• Get timely answers to your technical questions

• Find relevant technical documentation

• Engage with over 200,000 top technical experts

• Seamless transition from discussion to TAC Service Request (Cisco customers and partners only)

supportforums.cisco.com

supportforums.cisco.mobi

The Cisco Support Community is your one-stop

community destination from Cisco for sharing

current, real-world technical support knowledge

with peers and experts.

Documents

Discussions

Blogs

VideoAsk the Expert

Mobile

Recommended ReadingBRKNMS-3021

# ISBN-13: 978-0130385604

# ISBN-13: 978-0596528126

# ISBN-13: 978-0596007645

# ISBN-13: 978-1587059452

# ISBN-13: 978-1-4419-6769-5

And Remember…

Cisco IOS Can Be the Best Tool in Your Network

Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

• Your favorite speaker’s Twitter handle (@ChrisKodadek)

• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could Be a Winner

http://bit.ly/CLUSwin

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

• Related sessions

Thank you

Advanced Cisco IOS Device Instrumentation · Advanced Cisco IOS Device Instrumentation ... •...

Documents

Transcript of Advanced Cisco IOS Device Instrumentation · Advanced Cisco IOS Device Instrumentation ... •...