Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

EEM w/ TCL for CoPP

Hi all,

I'm in the process of deploying CoPP on our 6500's running 122-33.SXI code - several of which are utilizing VSS capabilities. I'm having some troubles with the TCL script (see attached). The script is outputing to the CSV file in disk0, but there are no packets/bytes output, only date/time.

Any thoughts? Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: EEM w/ TCL for CoPP

I use vim on FreeBSD.

As for sending a notification when a policy is exceeded, just execute the required action based on a comparison with the current bytes/packets value. If you plan on sending email, you'll also want to import the ::cisco::lib::* namespace.

Beyond that, I'm not sure what you're looking for.

18 REPLIES
New Member

Re: EEM w/ TCL for CoPP

& Here is a screenshot of the output:

Cisco Employee

Re: EEM w/ TCL for CoPP

There appears to be an issue with your editor. Look at line 51. The character before "inline" shows up as <96> for me instead of '-'. I think the attached policy will do what you want.

New Member

Re: EEM w/ TCL for CoPP

Thanks Joe. That did the trick. For some reason 96 isn't showing in my editor. Which editor do you use?

I would like to further adjust this EEM policy to send a trap and/or syslog message when a class-map within the CoPP policy begins having packets exceed the allowed police rate. Thoughts on that? Thanks.

Cisco Employee

Re: EEM w/ TCL for CoPP

I use vim on FreeBSD.

As for sending a notification when a policy is exceeded, just execute the required action based on a comparison with the current bytes/packets value. If you plan on sending email, you'll also want to import the ::cisco::lib::* namespace.

Beyond that, I'm not sure what you're looking for.

New Member

Re: EEM w/ TCL for CoPP

Thanks Joe. That's exactly what I would like to do. Can you help me with the configuration within the script? I can't seem to get the correct formatting. Thanks.

Cisco Employee

Re: EEM w/ TCL for CoPP

What do you mean by formatting? What have you tried so far? The actual code will just be a numeric comparison:

if { $current_val >= $threshold } {

# fire notification

}

New Member

Re: EEM w/ TCL for CoPP

I'm not up to par on scripting, the variables used etc...this is my first go at it.

Would the above code be located immediately following this:

if [catch {cli_exec $cli(fd) "show policy-map control-plane"}\

result] {

error $result $errorInfo

} else {

set cmd_output $result

}

if [catch {cli_close $cli(fd) $cli(tty_id)} result] {

error $result $errorInfo

}

if { $current_val >= $threshold } {action_syslog priority notice msg "Test Message"

}

Cisco Employee

Re: EEM w/ TCL for CoPP

Well, you have to pull out the current value from the "show policy-map control-plane" command. You've already done that in your current policy. The value of threshold can be set as an environment variable. For example:

event manager environment copp_bytes_threshold 1000

Then, since the bytes and packets values are most likely counters (I don't have a router with CoPP enabled), you'll need to do some math on current and previous byte values. For example:

set current_val [expr [expr $current_bytes - $prev_bytes] / $EEM_COPP_BASELINE_INTERVAL]

Where $current_bytes is the current byte value extracted from the "show policy-map control-plane" command, and $prev_bytes is the previous byte value retrieved from the saved context.

New Member

Re: EEM w/ TCL for CoPP

Yeah, I'm trying to match on the 5-min avg bps, although there are also total bytes, 30-s bytes, peak bytes, and peak bps fields within the output.

I've set the threshold to 1000 (very low for testing), and included the 'set' statement as seen above. Do I not need to add an action statement in such as this:

set current_val [expr [expr $current_bps - $prev_bps] / $EEM_COPP_BASELINE_INTERVAL]

action_syslog msg "CoPP Threshold Exceeded"

I've attached the script with this added code --- I'm still missing something.

Cisco Employee

Re: EEM w/ TCL for CoPP

What does the output of the show policy-map control-plane look like?

New Member

Re: EEM w/ TCL for CoPP

I've attached the output.

Cisco Employee

Re: EEM w/ TCL for CoPP

Your code will not work given this output. First, your script is not extracting the bps values, but rather the raw byte and packet counters. You would need to adjust your regular expression to pull out the bps values.

Second, since you have multiple class-maps applied, you will probably want to check each class-map bps value against your threshold. So the test for threshold violation would have to be done in the loop which iterates over your regexp matches.

Finally, since you are using bps instead of raw counters, you don't need to do any math. Just check the bps values directly to the threshold. For example:

if { $bps >= $copp_bps_threshold } {

action_syslog msg "CoPP Threshold Exceeded"

}

Of course, you may also want to include the policy-map name within the syslog message.

New Member

Re: EEM w/ TCL for CoPP

Okay, here is what I have thus far. Still having issues. Thanks for your patience with me on this Joe.

Cisco Employee

Re: EEM w/ TCL for CoPP

The regular expression "class-map: 5..." doesn't match anything in the previously provided output.

If it were me, I'd probably go with the algorithm in the attached example Tcl script to extract the bps values for each class-map. You can run this script using tclsh or IOS or on a host to get an idea of how it works. Then you can adapt the code to your EEM policy.

Cisco Employee

Re: EEM w/ TCL for CoPP

I just found that a CoPP baseline policy is included on Cisco.com http://www.cisco.com/web/about/security/intelligence/embedded-event-mgr.html . Was this where you got your policy? If so, as we have already seen, there are some issues. I can probably get that updated.

New Member

Re: EEM w/ TCL for CoPP

That is, indeed, where I got the baseline from. I would love to see an updated version posted there. Thanks!

Cisco Employee

Re: EEM w/ TCL for CoPP

Here is the version that should have been posted. It removes the bad character.

Cisco Employee

Re: EEM w/ TCL for CoPP

And here is a version which will send out a syslog message if a class's bps value exceeds a pre-defined threshold. Set the EEM environment variable EEM_COPP_BASELINE_THRESHOLD to be the desired bps threshold.

323
Views
5
Helpful
18
Replies