EEM script to detect WAN flapping event

Answered Question
Apr 15th, 2009

I need an EEM script to place an ACL on the WAN when the link is flapping to block the router from reaching the CM server for a period of about 20 minutes.


My requirement is to setup a flag which will have a counter incrementing for each Link flap detection(“%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel128, changed state to down”). this will ensure that this is not a single flap event, but more like a link flapping 2-3 times in 2 minutes, which will indicate a WAN link flapping.


if this happens, I want to use EEM script to apply a predefined acl on the wan interface. this acl basically blocks the gateway and phones from reaching the call manager servers in the central site.

I needs a timer then enabled to leave the acl on for 20 minutes.


after 20 minutes, through EEM remove the acl, and reset the flag to 0.

Correct Answer by Joe Clarke about 7 years 10 months ago

This policy does not work. The syslog pattern is wrong, and the policy does nothing except add an applet policy, acl_apply which only has an event detector registration line. What you really want is:


event manager applet test

event syslog occurs 3 period 180 pattern "LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel128, changed state to down"

action 0.1 syslog msg "Policy triggered; configuring ACL $wan_flap_acl on $wan_flap_interface"

action 0.5 cli command "enable"

action 0.6 cli command "config t"

action 1.0 cli command "interface $wan_flap_interface"

action 1.1 cli command "ip access-group $wan_flap_acl $wan_flap_acl_direction"

action 1.2 cli command "exit"

action 2.0 cli command "event manager applet wan-flap-acl-remove"

action 2.1 cli command "event timer countdown time $wan_flap_hold_time"

action 2.2 cli command "action 0.5 cli command \"enable\""

action 2.3 cli command "action 1.0 cli command \"config t\""

action 2.4 cli command "action 2.0 cli command \"interface $wan_flap_interface\""

action 2.5 cli command "action 3.0 cli command \"no ip access-group $wan_flap_acl $wan_flap_acl_direction\""

action 2.6 cli command "action 4.0 cli command \"exit\""

action 2.7 cli command "action 5.0 cli command \"event manager policy sl_wan_flap_watch.tcl\""

action 2.8 cli command "action 6.0 cli command \"no event manager applet wan-flap-acl-remove\""

action 2.9 cli command "action 7.0 cli command \"end\""

action 3.0 cli command "action 8.0 syslog msg \"Removed ACL $wan_flap_acl from interface $wan_flap_interface\""

action 3.1 cli command "exit"

action 3.2 cli command "no event manager policy sl_wan_flap_watch.tcl"

action 3.3 cli command "end"


This is the general policy to which I referred. It is designed to be part of an embedded management program called EASy, and is part of an IP SLA monitoring package I am testing.


The other main downside of the applet approach is that you cannot dynamically configure the event detector. With Tcl, you can use environment variables in the event detector registration.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Joe Clarke Wed, 04/15/2009 - 19:49

This policy should do what you want. It requires quite a few environment variables which you can see in the code. For example, the following variable values may suit your needs:


event manager environment wan_flap_pattern LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel128, changed state to down


event manager environment wan_flap_occurs 3


event manager environment wan_flap_period 120


event manager environment wan_flap_interface Tunnel128


event manager environment wan_flap_acl 113


event manager environment wan_flap_acl_direction in


event manager environment wan_flap_hold_time 1200



yjdabear Fri, 04/17/2009 - 10:43

Can this conceivably be accomplished with EEM applets only?

Joe Clarke Fri, 04/17/2009 - 11:23

This particular policy, yes. I had a more complex version which allowed for customizable CLI commands to be written. I simply modified that version. I also think using a Tcl policy overcomes a common pitfall with applets where the action numbering is not done properly.

yjdabear Fri, 04/17/2009 - 11:29

I was thinking along the lines of:


event manager applet test

event syslog occurs 3 period 180 pattern "*LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel128, changed state to down"

action 1.0 cli command "enable"

action 1.1 cli command "conf t"

action 1.2 cli command "event manager applet acl_apply"

action 1.3 cli command "event timer countdown time 1200 name 20mins"

action 1.4 cli command "event manager applet acl_remove"

action 1.5 cli command "exit"


Would the above perform the 20-min countdown and apply the ACLs, as specified?


Could you post that customizable version of your Tcl policy for our enlightenment?


Also, I'm curious about the possible techniques of picking up the interface dynamically (Tunnel128 in this case) to apply the ACL against, from the syslog message, either with EEM applet(s) and/or Tcl policy.

Correct Answer
Joe Clarke Fri, 04/17/2009 - 21:27

This policy does not work. The syslog pattern is wrong, and the policy does nothing except add an applet policy, acl_apply which only has an event detector registration line. What you really want is:


event manager applet test

event syslog occurs 3 period 180 pattern "LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel128, changed state to down"

action 0.1 syslog msg "Policy triggered; configuring ACL $wan_flap_acl on $wan_flap_interface"

action 0.5 cli command "enable"

action 0.6 cli command "config t"

action 1.0 cli command "interface $wan_flap_interface"

action 1.1 cli command "ip access-group $wan_flap_acl $wan_flap_acl_direction"

action 1.2 cli command "exit"

action 2.0 cli command "event manager applet wan-flap-acl-remove"

action 2.1 cli command "event timer countdown time $wan_flap_hold_time"

action 2.2 cli command "action 0.5 cli command \"enable\""

action 2.3 cli command "action 1.0 cli command \"config t\""

action 2.4 cli command "action 2.0 cli command \"interface $wan_flap_interface\""

action 2.5 cli command "action 3.0 cli command \"no ip access-group $wan_flap_acl $wan_flap_acl_direction\""

action 2.6 cli command "action 4.0 cli command \"exit\""

action 2.7 cli command "action 5.0 cli command \"event manager policy sl_wan_flap_watch.tcl\""

action 2.8 cli command "action 6.0 cli command \"no event manager applet wan-flap-acl-remove\""

action 2.9 cli command "action 7.0 cli command \"end\""

action 3.0 cli command "action 8.0 syslog msg \"Removed ACL $wan_flap_acl from interface $wan_flap_interface\""

action 3.1 cli command "exit"

action 3.2 cli command "no event manager policy sl_wan_flap_watch.tcl"

action 3.3 cli command "end"


This is the general policy to which I referred. It is designed to be part of an embedded management program called EASy, and is part of an IP SLA monitoring package I am testing.


The other main downside of the applet approach is that you cannot dynamically configure the event detector. With Tcl, you can use environment variables in the event detector registration.



yjdabear Fri, 06/12/2009 - 13:26

The intention was to have that applet call the two other applets named acl_apply and acl_remove, respectively.

moin.tirmizi Thu, 06/11/2009 - 18:09

Thanks Joe for your help in getting this script working for my screnario.

Actions

This Discussion