EEM to disable netflow Export

Answered Question
Dec 29th, 2009
User Badges:
  • Bronze, 100 points or more

Hi All,

I've been having an issue with my Cellular backup connection at my branches. The way it is setup, if the T1 goes down, the Cellular interface comes online and establishes a VPN connection. That part works fine, but after 2-3 minutes, the Cellular interface goes down. I did my homework and worked with Verizon and we determined it is my Netflow packets that are causing IP Source validation errors. Verizon has their service configured such that if any packets leave my route not sourced from the IP assigned to me OR destined for a private IP range, they axe the PPP session. I disabled netflow export and brought up the backup connection and it ran like a champ, no drops. Using IOS 12.4(24)T1. I went around and around with various TAC departments and finally found my issue:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

CSCef28662

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCef28662



Turns out I can't encyrpt the netflow packets to go across the VPN. I was thinking about using EEM to disable flow export when the T1 drops and then reenable it when the T1 comes back online. I've tested this on one of my test routers:


event manager applet disableflow
event syslog pattern "Line protocol on Interface Loopback59, changed state to down"
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "no ip flow-export destination <IP> 2055"
action 1.3 syslog msg "Flow Disabled"
event manager applet enableflow
event syslog pattern "Line protocol on Interface Loopback59, changed state to up"
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "ip flow-export destination <IP> 2055"
action 2.5 syslog msg "Flow Enabled"
!
end


I've done shut / no shut on loopback59 and the applets function as expected  (YAY!). I will update the Loopback59 part to resemble my acutal T1 interface later when i put this into production.

Question 1:

Is there a way I can combine the functionality i'm looking for into a single script? Or should I leave it as two seperate ones?

Question 2:

I noticed that the actions can be numbered as decimals. Does that mean they rely on the previous ones?

I.e. Command 1.1 relies on Command 1.0 being successful.

Correct Answer by Joe Clarke about 7 years 6 months ago

1. You could combine this into one policy given that you are running IOS 12.4(24)T1.  However, your current policies might be easier for you to maintain moving forward.  To combine the two, you would need to use regexp:


event manager applet netflow-toggle

event syslog pattern "Line protocol on Interface Loopback59, changed state to"

action 001 regexp "changed state to (down|up)" $_syslog_msg ignore state

action 002 if $state eq "down"

action 003   set newmsg "Flow Disabled"

action 004   set command "no ip flow-export destination 2055"

action 005 else

action 006   set newmsg "Flow Enabled"

action 007   set command "ip flow-export destination 2055"

action 008 end

action 009 cli command "enable"

action 010 cli command "config t"

action 011 cli command "$command"

action 012 cli command "end"

action 013 syslog msg "$newmsg"


2. Action labels are actually strings, and are executed in lexicographical or dictionary order.  Therefore "action 10.0" will be executed after "action 1.0" and not after "action 9.0".

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 12/29/2009 - 14:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

To get a quick answer to this you should move this post to Network Management where Joe Clarke, the Cisco expert on all things EEM hangs out. You can move the post using the Actions link on the right hand side box.


Jon

Marwan ALshawi Tue, 12/29/2009 - 16:15
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

1. i would suggest you to leave it separate because each one working on differnt event


2. the sequence number important in term of the sequence of applying the action


for example if put it like


action 2.0 cli command "enable"


action 1.0 cli command "config t"


the EEM will sort it sequentially and then the conf t will be executed before enable and you will get a problem



good luck

if helpful Rate

Correct Answer
Joe Clarke Wed, 12/30/2009 - 19:08
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

1. You could combine this into one policy given that you are running IOS 12.4(24)T1.  However, your current policies might be easier for you to maintain moving forward.  To combine the two, you would need to use regexp:


event manager applet netflow-toggle

event syslog pattern "Line protocol on Interface Loopback59, changed state to"

action 001 regexp "changed state to (down|up)" $_syslog_msg ignore state

action 002 if $state eq "down"

action 003   set newmsg "Flow Disabled"

action 004   set command "no ip flow-export destination 2055"

action 005 else

action 006   set newmsg "Flow Enabled"

action 007   set command "ip flow-export destination 2055"

action 008 end

action 009 cli command "enable"

action 010 cli command "config t"

action 011 cli command "$command"

action 012 cli command "end"

action 013 syslog msg "$newmsg"


2. Action labels are actually strings, and are executed in lexicographical or dictionary order.  Therefore "action 10.0" will be executed after "action 1.0" and not after "action 9.0".

Marwan ALshawi Wed, 12/30/2009 - 19:28
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

Joe you are the expert of  EEM and TCL

and this one was a very nice example


happy new year  to you guys

Actions

This Discussion