i want to monitor interface traffic in/out by eem and the if the values is overer than some value i will change the policy.
my router is 2821 is have 2 fastEthernet port , i want to monitor the traffic on fasE1/0 if traffic over than 80Mbps i will change some configuration ( example: change next-hop on static route) for via traffic to interface fasE1/1 for reduce the traffic on interface fasE1/0
please help us to fine the best solution.
Depending on your IOS version, this can be quite easy to do. An interface ED will work.
event manager applet int-monitor
event interface name FastEthernet1/0 parameter receive_rate_bps entry-op ge entry-val 80000000 entry-type value poll-interval 10
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "ip route x.x.x.x y.y.y.y z.z.z.z"
action 4.0 cli command "end"
Which the paramiter.
event interface name Gi3/2/1 parameter receive_rate_bps entry-op ge entry-val 100 ?
entry-val-is-increment Entry value is increment
exit-comb Exit combination operator for exit condition tests
exit-op Exit comparison operator
exit-time Time before event monitoring is reenabled
exit-val Exit counter value for interface event
exit-val-is-increment Exit value is increment
maxrun Maximum runtime of applet
poll-interval Interval between consecutive polls in seconds
You have an older IOS. You want:
event interface name FastEthernet1/0 parameter receive_rate_bps entry-op ge entry-val 80000000 entry-val-is-increment false poll-interval 10
Thanks for this.
You wouldn't happen to know of a way to do the same detection with a specific IP address's traffic on an interface would you?
It depends. If your device supports Flexible Netflow you could define define a flow record/monitor to look at traffic from one particular host and collect the total bytes. If that exceeds a threshold, you could fire your event. From the EEM side, that would look like:
event nf event1 field counter bytes long entry-op ge entry-val 8000000 entry-type update monitor MYMON
Wow, thanks for the fast reply!
Yes, my machines apparently do support flexible netflow, but I'm way above my head here. Basically my PhD advisor has tasked me with implementing his last research paper via our 2811's and I've had to come a long way just to get them up and running. I'll start trying to decipher that command, but no promises <)
Can I ask for a clarification? All I need is one notification every time "receive_rate_bps" exceeds 4500000 (4,5Mbps) continuously for 180 seconds. What would be the correct command?
I've been trying out different parameters but can't seem to get it right:
event interface name Gig 0/1 parameter receive_rate_bps entry-op ge entry-val 4500000 entry-type increment poll-interval 180
Your help is much appreciated.
event manager applet bps
event tag 1 interface name FastEthernet0 parameter receive_rate_bps entry-op lt entry-val 4500000 entry-type value poll-interval 180
Modify FastEthernet0 for your lan port and change receive_rate_bps by transmit_rate_bps if you need.
This won't do what you want. What this definition will do is poll receive_rate_bps every 180 seconds. If the value at that time is less than 4.5 Mbps (or greater than or equal in the original request) then it will trigger.
This is a tricky one because this ED uses polling, so you're essentially sampling. If the rx bps dropped to 1 Mbps just before the applet polls, then jumps back to 4.5, it would still trigger; and that's not what I believe is desired.
If you set the load-interval on the interface to be 180, that would help, but your applet would still be sampling on the polling interval. Running it every second might be too much overhead.
What might work better is to look at ifHCInOctets (188.8.131.52.184.108.40.206.1.1.6.INDEX) for the given ifIndex. If the increment value exceeds what 4.5 Mbps would be (sustained), then trigger the applet:
event snmp oid 220.127.116.11.18.104.22.168.1.1.6.INDEX get-type exact entry-op ge entry-val 810000000 entry-type increment poll-interval 180