EEM w/ TCL for CoPP

Answered Question

Hi all,

I'm in the process of deploying CoPP on our 6500's running 122-33.SXI code - several of which are utilizing VSS capabilities. I'm having some troubles with the TCL script (see attached). The script is outputing to the CSV file in disk0, but there are no packets/bytes output, only date/time.

Any thoughts? Thanks.

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 7 years 4 months ago

I use vim on FreeBSD.

As for sending a notification when a policy is exceeded, just execute the required action based on a comparison with the current bytes/packets value. If you plan on sending email, you'll also want to import the ::cisco::lib::* namespace.

Beyond that, I'm not sure what you're looking for.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Joe Clarke Wed, 07/08/2009 - 10:05

There appears to be an issue with your editor. Look at line 51. The character before "inline" shows up as <96> for me instead of '-'. I think the attached policy will do what you want.

Correct Answer
Joe Clarke Wed, 07/08/2009 - 16:09

I use vim on FreeBSD.

As for sending a notification when a policy is exceeded, just execute the required action based on a comparison with the current bytes/packets value. If you plan on sending email, you'll also want to import the ::cisco::lib::* namespace.

Beyond that, I'm not sure what you're looking for.

Joe Clarke Mon, 07/13/2009 - 09:35

What do you mean by formatting? What have you tried so far? The actual code will just be a numeric comparison:

if { $current_val >= $threshold } {

# fire notification

}

I'm not up to par on scripting, the variables used etc...this is my first go at it.

Would the above code be located immediately following this:

if [catch {cli_exec $cli(fd) "show policy-map control-plane"}\

result] {

error $result $errorInfo

} else {

set cmd_output $result

}

if [catch {cli_close $cli(fd) $cli(tty_id)} result] {

error $result $errorInfo

}

if { $current_val >= $threshold } {action_syslog priority notice msg "Test Message"

}

Joe Clarke Mon, 07/13/2009 - 09:57

Well, you have to pull out the current value from the "show policy-map control-plane" command. You've already done that in your current policy. The value of threshold can be set as an environment variable. For example:

event manager environment copp_bytes_threshold 1000

Then, since the bytes and packets values are most likely counters (I don't have a router with CoPP enabled), you'll need to do some math on current and previous byte values. For example:

set current_val [expr [expr $current_bytes - $prev_bytes] / $EEM_COPP_BASELINE_INTERVAL]

Where $current_bytes is the current byte value extracted from the "show policy-map control-plane" command, and $prev_bytes is the previous byte value retrieved from the saved context.

Yeah, I'm trying to match on the 5-min avg bps, although there are also total bytes, 30-s bytes, peak bytes, and peak bps fields within the output.

I've set the threshold to 1000 (very low for testing), and included the 'set' statement as seen above. Do I not need to add an action statement in such as this:

set current_val [expr [expr $current_bps - $prev_bps] / $EEM_COPP_BASELINE_INTERVAL]

action_syslog msg "CoPP Threshold Exceeded"

I've attached the script with this added code --- I'm still missing something.

Joe Clarke Mon, 07/13/2009 - 11:20

What does the output of the show policy-map control-plane look like?

Joe Clarke Mon, 07/13/2009 - 12:51

Your code will not work given this output. First, your script is not extracting the bps values, but rather the raw byte and packet counters. You would need to adjust your regular expression to pull out the bps values.

Second, since you have multiple class-maps applied, you will probably want to check each class-map bps value against your threshold. So the test for threshold violation would have to be done in the loop which iterates over your regexp matches.

Finally, since you are using bps instead of raw counters, you don't need to do any math. Just check the bps values directly to the threshold. For example:

if { $bps >= $copp_bps_threshold } {

action_syslog msg "CoPP Threshold Exceeded"

}

Of course, you may also want to include the policy-map name within the syslog message.

Joe Clarke Tue, 07/14/2009 - 12:39

The regular expression "class-map: 5..." doesn't match anything in the previously provided output.

If it were me, I'd probably go with the algorithm in the attached example Tcl script to extract the bps values for each class-map. You can run this script using tclsh or IOS or on a host to get an idea of how it works. Then you can adapt the code to your EEM policy.

Attachment: 
Joe Clarke Fri, 08/14/2009 - 12:09

And here is a version which will send out a syslog message if a class's bps value exceeds a pre-defined threshold. Set the EEM environment variable EEM_COPP_BASELINE_THRESHOLD to be the desired bps threshold.

Actions

This Discussion