Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

EEM policy: Netflow Detector

Hi all!

Can anyone give full example of the use of event_register_nf detector in TCL script.

At cisco.com only the syntax commands and there is no example.

Interested in the meaning of keywords: event_type, exit_event_type, event1- event4

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

EEM policy: Netflow Detector

You will need to specify an exit-event.  For example:

event nf monitor-name "pingmon" event-type create  exit-event-type delete event1 entry-value "5" field ipv4 ttl entry-op lt exit-value "5" exit-op lt

6 REPLIES
Cisco Employee

Re: EEM policy: Netflow Detector

Here's a low TTL detection example:

flow record pingwatcher

match ipv4 ttl

match ipv4 source address

match ipv4 destination address

!

flow monitor pingmon

record pingwatcher

event manager applet watchLowTTL

event nf monitor-name "pingmon" event-type create event1 entry-value "5" field ipv4 ttl entry-op lt

action 1.0 syslog msg "TTL=$_nf_event1_value detected between $_nf_source_address and $_nf_dest_address"

New Member

Re: EEM policy: Netflow Detector

Thanks Joseph!

As I understand it, applet will be triggered when will create a new flow with the parameters: ttl < 5.

You can still answer questions:

1. What's the difference between the values ​​of event1, event2, event3, event4 ?

2. Which means that the parameter exit_event-type ?

Cisco Employee

Re: EEM policy: Netflow Detector

You can choose to create multiple NF events (up to four) on which to react.  This particular policy only needs one to match the low TTL.  The exit-event signals when the policy should re-arm.  Without an exit-event, the policy will fire every time there is a low TTL match.  If the exit-event is specified, the policy will not fire again until the exit-event criteria are met then the entry-event criteria are met again.

New Member

EEM policy: Netflow Detector

Hi Joseph!

Thanks for the answer.

I'm trying to use the exit-event-type as:  

   event nf monitor-name "pingmon" event-type create  exit-event-type delete event1 entry-value "5" field ipv4 ttl entry-op lt

But the policy is not rearmed again.

New ping (after netflow Inactive timeout - 15 sec default) does not cause reactions policy.

She had rearm for the delete of flow? It does not happen, or I misunderstood your.

Cisco Employee

EEM policy: Netflow Detector

You will need to specify an exit-event.  For example:

event nf monitor-name "pingmon" event-type create  exit-event-type delete event1 entry-value "5" field ipv4 ttl entry-op lt exit-value "5" exit-op lt

New Member

EEM policy: Netflow Detector

Hi Joseph! Thanks, is now  working!

1071
Views
10
Helpful
6
Replies
CreatePlease to create content