Solved: Using SNMP traps to trigger EEM Applets

jschweng · ‎05-12-2010

We need to be able to change the allowable line rate going into a switch from a Linux Mgt Server using snmp. Was trying to use EEM applets which would be triggered via snmp traps from the server. We need to change it up to ten different rates. I can't seem to get the applets to trigger. Any help would be appreciated - thanks.

class-map match-all CLASS_SLAP
match access-group name ACL_SLAP
!!
policy-map OCA-RATE-LIMIT
class CLASS_SLAP
police 1900000 100000 exceed-action drop

interface GigabitEthernet1/0/20
switchport access vlan 10
switchport mode access
speed 100
duplex full
service-policy input OCA-RATE-LIMIT

snmp-server community <removed> RO 98
snmp-server community <removed> RW 99
snmp-server host <IP> version 2c <removed> snmp
snmp-server host <IP>version 2c <removed>
snmp-server host <IP>version 2c <removed>
snmp-server host <IP>version 2c <removed>
snmp-server host <IP>version 2c <removed>
snmp-server manager

event manager applet OCA-limit-3M
event snmp-object oid 1.9.9.9.3 type gauge sync yes istable no
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 3000000 100000 exceed-action drop"
action 6.0 snmp-object-value event-id _event_id gauge 0 next-oid 1.9.9.9.3.0
action 7.0 exit 1
event manager applet OCA-limit-6M
event snmp-object oid 1.9.9.9.6 type gauge sync yes istable no
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 6000000 100000 exceed-action drop"
action 6.0 snmp-object-value event-id _event_id gauge 0 next-oid 1.9.9.9.26.0
action 7.0 exit 1
event manager applet OCA-limit-7M
event snmp-object oid 1.9.9.9.7 type gauge sync yes istable no
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 7000000 100000 exceed-action drop"
action 6.0 snmp-object-value event-id _event_id gauge 0 next-oid 1.9.9.9.7.0
action 7.0 exit 1
event manager applet OCA-limit-8M
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 8000000 100000 exceed-action drop"
action 6.0 snmp-object-value event-id _event_id gauge 0 next-oid 1.9.9.9.8.0
action 7.0 exit 1
event manager applet TESTTEST
event none
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 1900000 100000 exceed-action drop"
action 7.0 exit 1
!
end

Joe Clarke · ‎05-13-2010

Chokes how? This should (and does) work. The value of the _cli_result variable will always hold the output of the last CLI command executed.

View solution in original post

Joe Clarke · ‎05-12-2010

What you want to do is very possible (and I even wrote some internal documentation on this), but you have it configured incorrectly. You have configured your policies to trigger off of SNMP polling operations (i.e. SNMP GET and SET requests), and not to trigger off of SNMP traps received by the device. I will convert one for you, and that should give you the insight into what to do on the others.

event manager applet OCA-limit-3M
 event snmp-notification oid 1.9.9.9. oid-val 3 op eq src-ip-address ADDR
 action 1.0 cli command "enable"
 action 2.0 cli command "config terminal"
 action 3.0 cli command "policy-map OCA-RATE-LIMIT"
 action 4.0 cli command "class CLASS_SLAP"
 action 5.0 cli command " police 3000000 100000 exceed-action drop"
 action 6.0 cli command "end"

But, this is actually sub-optimal. You could consolidate all of these applet policies into one. Say you generate a trap with a varbind 1.9.9.9.1=1. You then have two other varbinds, 1.9.9.9.2 and 1.9.9.9.3. The .2 varbind contains the bits per second whereas the .3 varbind contains the burst rate. Your new, unified policy would be:

event manager applet adjust-qos
 event snmp-notification oid 1.9.9.9.1 oid-val 1 op eq src-ip-address ADDR
 action 1.0 cli command "enable"
 action 2.0 cli command "config t"
 action 3.0 cli command "policy-map OCA-RATE-LIMIT"
 action 4.0 cli command "class CLASS_SLAP"
 action 5.0 cli command "police $_1_9_9_9_2 $_1_9_9_9_3 exceed-action drop"
 action 6.0 cli command "end"

In both cases, ADDR is the IP address of the Linux box which will send the trap.

jschweng · ‎05-12-2010

Joe - Thank you so much for the reponse. I've been trying to get this working but no joy so far - but very close though. I can the applet's to trigger via SNMP GETS. The problem I am having is what oid to use to do the gets. I tried to set it up using 1.9.9.9.3 to 1.9.9.9.25 for the differnet applets. some of them worked, some of them caused my switch to crash. Not sure what's going on there.

Is sending Traps preferred over sending GETS to trigger the applets? If you have any documentation that would be very helpful.

Sincerley

Jeffrey Watson

Lockheed

Joe Clarke · ‎05-12-2010

I would STRONGLY encourage you to use traps over GET requests for now. There is a bug when EEM and the snmp-object ED which I filed that will be fixed in an upcoming 15.x release. Until then, GETs can be problematic.

If you follow my example in this thread, it should be easy to get traps to work. Use the Net-SNMP snmptrap command to generate the traps with the customer OID varbinds.

jschweng · ‎05-13-2010

Joe - Thanks - Will look at setting up for TRAPS instead GETS. That's good to know.

If we use TRAPS then do we have to use an oid that is a standard MIB or can we use 1.9.9.9.

I'm not sure I can send a trap that isn't a standar MIB.

jschweng · ‎05-13-2010

I'm sending the trap - its hitting siwtch. In the log I keep getting this message

fh_fd_snmp_proxy_incoming_trap_msgs: trap received NO match src ip addr dest I/F Vlan 2, dest ip address

Its not triggering the event - any ideas?

Joe Clarke · ‎05-13-2010

Make sure you have the SNMP Manager enabled on your device. Configure:

snmp-server manager

If it's still not working, post your new running config.

Joe Clarke · ‎05-13-2010

You can with Net-SNMP's snmptrap command. For example:

snmptrap -v 1 -c public 172.18.123.33 enterprises.cisco 10.32.100.91 1 0 '' .1.9.9.9.1 i 1 .1.9.9.9.2 i 3000000 .1.9.9.9.3 i 100000

jschweng · ‎05-13-2010

Joe - we did finally did get it working. Thanks very much for your help. It seems to work very well with just traps and I think its going to be a very useful tool to make some simple configuarion changes via our CEM manager. The only thing left is to provide some status back to the CEM manager that we have changed the running config and what the new police rate is. Do you think that's possible to put a line in EEM event that will send a snmp-trap back to a specific host (not our regular syslog server) whith information on the current rate from the output of "show policy-map".

event manager applet OCA-limit-3M
event snmp-notification oid 1.9.9.9. oid-val "3M" op eq
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 3000000 100000 exceed-action drop"
action 7.0 exit 1

show policy-map | i police

I need to send this information to our management server as an snmptrap after the EEM event changes the running config

police 3000000 100000 exceed-action drop

Thanks

Jeffrey Watson

Lockheed Martin

Joe Clarke · ‎05-13-2010

Add:

action 8.0 snmp-trap strdata "police 3000000 100000 exceed-action drop"

jschweng · ‎05-13-2010

action 8.0 snmp-trap strdata "police 3000000 100000 exceed-action drop"

ok thanks - I think I have to actually send them status off the switch and it has to go to a specific server.

Becuase if the event runs and somehow fails to change the running config - the eem script will send send

out a trap which indicates a change.

I saw this in another script

action 100 cli command "show ip int brief | include Loopback0"

Is it possible to send the output of this action to a specific server?

action 100 clie command "show policy-map | i police"

Joe Clarke · ‎05-13-2010

Okay, I understand what you're asking. Yes, you can send the output of this CLI command, but it may not look at attractive on your NMS. Given your version of EEM, additional pos-processing of the policy-map output could be performed in applets if required.

Try the following, and if it looks good, then you can stay with it. If not, we can look at additional options.

action 8.0 cli command "show policy-map | inc police"

action 9.0 snmp-trap strdata "$_cli_result"

jschweng · ‎05-13-2010

Joe thanks

Is there any way to send the applet traps only to one host and not to the our other snmp-servers which we normally log snmp to?

have you been able to get the $_cli_result to work ok. I tried this before

action 8.0 cli command "show policy-map | inc police"
action 9.0 puts "$_cli_result"

and it always chokes on that line when I run it.

Jeff W

jschweng · ‎05-13-2010

snmp-server host 10.10.10.1 readme event-manager

will this send only my event manager traps to this host and not send any of my traps to it?

Joe Clarke · ‎05-13-2010

Yes, that host will only receive EEM traps.