cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1543
Views
5
Helpful
18
Replies

EEM w/ TCL for CoPP

josh.carlson
Level 1
Level 1

Hi all,

I'm in the process of deploying CoPP on our 6500's running 122-33.SXI code - several of which are utilizing VSS capabilities. I'm having some troubles with the TCL script (see attached). The script is outputing to the CSV file in disk0, but there are no packets/bytes output, only date/time.

Any thoughts? Thanks.

1 Accepted Solution

Accepted Solutions

I use vim on FreeBSD.

As for sending a notification when a policy is exceeded, just execute the required action based on a comparison with the current bytes/packets value. If you plan on sending email, you'll also want to import the ::cisco::lib::* namespace.

Beyond that, I'm not sure what you're looking for.

View solution in original post

18 Replies 18

josh.carlson
Level 1
Level 1

& Here is a screenshot of the output:

Joe Clarke
Cisco Employee
Cisco Employee

There appears to be an issue with your editor. Look at line 51. The character before "inline" shows up as <96> for me instead of '-'. I think the attached policy will do what you want.

Thanks Joe. That did the trick. For some reason 96 isn't showing in my editor. Which editor do you use?

I would like to further adjust this EEM policy to send a trap and/or syslog message when a class-map within the CoPP policy begins having packets exceed the allowed police rate. Thoughts on that? Thanks.

I use vim on FreeBSD.

As for sending a notification when a policy is exceeded, just execute the required action based on a comparison with the current bytes/packets value. If you plan on sending email, you'll also want to import the ::cisco::lib::* namespace.

Beyond that, I'm not sure what you're looking for.

Thanks Joe. That's exactly what I would like to do. Can you help me with the configuration within the script? I can't seem to get the correct formatting. Thanks.

What do you mean by formatting? What have you tried so far? The actual code will just be a numeric comparison:

if { $current_val >= $threshold } {

# fire notification

}

I'm not up to par on scripting, the variables used etc...this is my first go at it.

Would the above code be located immediately following this:

if [catch {cli_exec $cli(fd) "show policy-map control-plane"}\

result] {

error $result $errorInfo

} else {

set cmd_output $result

}

if [catch {cli_close $cli(fd) $cli(tty_id)} result] {

error $result $errorInfo

}

if { $current_val >= $threshold } {action_syslog priority notice msg "Test Message"

}

Well, you have to pull out the current value from the "show policy-map control-plane" command. You've already done that in your current policy. The value of threshold can be set as an environment variable. For example:

event manager environment copp_bytes_threshold 1000

Then, since the bytes and packets values are most likely counters (I don't have a router with CoPP enabled), you'll need to do some math on current and previous byte values. For example:

set current_val [expr [expr $current_bytes - $prev_bytes] / $EEM_COPP_BASELINE_INTERVAL]

Where $current_bytes is the current byte value extracted from the "show policy-map control-plane" command, and $prev_bytes is the previous byte value retrieved from the saved context.

Yeah, I'm trying to match on the 5-min avg bps, although there are also total bytes, 30-s bytes, peak bytes, and peak bps fields within the output.

I've set the threshold to 1000 (very low for testing), and included the 'set' statement as seen above. Do I not need to add an action statement in such as this:

set current_val [expr [expr $current_bps - $prev_bps] / $EEM_COPP_BASELINE_INTERVAL]

action_syslog msg "CoPP Threshold Exceeded"

I've attached the script with this added code --- I'm still missing something.

What does the output of the show policy-map control-plane look like?

I've attached the output.

Your code will not work given this output. First, your script is not extracting the bps values, but rather the raw byte and packet counters. You would need to adjust your regular expression to pull out the bps values.

Second, since you have multiple class-maps applied, you will probably want to check each class-map bps value against your threshold. So the test for threshold violation would have to be done in the loop which iterates over your regexp matches.

Finally, since you are using bps instead of raw counters, you don't need to do any math. Just check the bps values directly to the threshold. For example:

if { $bps >= $copp_bps_threshold } {

action_syslog msg "CoPP Threshold Exceeded"

}

Of course, you may also want to include the policy-map name within the syslog message.

Okay, here is what I have thus far. Still having issues. Thanks for your patience with me on this Joe.

The regular expression "class-map: 5..." doesn't match anything in the previously provided output.

If it were me, I'd probably go with the algorithm in the attached example Tcl script to extract the bps values for each class-map. You can run this script using tclsh or IOS or on a host to get an idea of how it works. Then you can adapt the code to your EEM policy.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco