Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1742
Views
0
Helpful
6
Replies

TCL Script works on 3750 and not 6509

Go to solution
kevin-shaw
Level 1
Level 1

‎09-18-2013 12:16 PM

I am currently trying to learn the TCL Language for use on IOS.  A simple script I created is below:

The script works fine on a 3750 but fails on a 6509.  Any ideas ? ?

Thanks!!  KEV

proc validate {args} {

foreach address $args {

    set output [exec "ping $address"]

    #puts $output

    regexp {.*Success rate is (\d+) percent \((\d+)\/(\d+)\), round-trip min/avg/max =\s+(\d+)\/(\d+)\/(\d+)} $output COMPLETE perc sent recieved min avg max

    puts "ADDRESS:\t$address"

    puts "PERCENT:\t$perc"

    puts "SENT:\t\t$sent"

    puts "RECV:\t\t$recieved"

    puts "MIN:\t\t$min"

    puts "AVG:\t\t$avg"

    puts "MAX:\t\t$max"

    puts \n

    }

}

validate172.16.35.12 172.16.3.143 192.168.4.4

LAB_3750(tcl)#validate 172.16.35.12 172.16.3.143 192.168.4.4

ADDRESS:        172.16.35.12

PERCENT:        100

SENT:           5

RECV:           5

MIN:            1

AVG:            3

MAX:            8

ADDRESS:        172.16.3.143

PERCENT:        100

SENT:           5

RECV:           5

MIN:            1

AVG:            2

MAX:            8

ADDRESS:        192.168.4.4

PERCENT:        100

SENT:           5

RECV:           5

MIN:            25

AVG:            30

MAX:            34

LAB_6509(tcl)#validate 172.16.35.12 172.16.3.143 192.168.4.4

ADDRESS:        172.16.35.12

can't read "perc": no such variable

LAB_6509(tcl)#

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to kevin-shaw

‎09-19-2013 12:07 PM

This is what I thought.  Tclsh doesn't work with command authorization.  EEM does, however.  Your script could be updated to this to work with EEM:

::cisco::eem::event_register_none
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if { [catch {cli_open} result] } {
    error $result $errorInfo
}
array set cli $result
array set arg_einfo [event_reqinfo]
cli_exec $cli(fd) "enable"
foreach aname [array names arr_einfo -regexp {arg[0-9]+}] {
    set address $arr_einfo($aname)
set output [cli_exec $cli(fd) "ping $address"]
regexp {.*Success rate is (\d+) percent \((\d+)\/(\d+)\), round-trip  min/avg/max =\s+(\d+)\/(\d+)\/(\d+)} $output COMPLETE perc sent recieved  min avg max
puts "ADDRESS:\t$address"
puts "PERCENT:\t$perc"
puts "SENT:\t\t$sent"
puts "RECV:\t\t$recieved"
puts "MIN:\t\t$min"
puts "AVG:\t\t$avg"
puts "MAX:\t\t$max"
puts \n
}
catch {cli_close $cli(fd) $cli(tty_id)}       

You register this script my copying it to disk0:/policies, then configure:

event manager directory user policy disk0:/policies

event manager policy validate.tcl

Also configure:

event manager session cli username USER

Where USER is a AAA user authorized to run the ping command.

Then run it using:

event manager run validate.tcl ADDR [ADDR] ...

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎09-18-2013 02:21 PM

Post the output of the ping command on the 6500.  The regexp is not matching and that likely means the output is different between the two devices.

0 Helpful

Go to solution
kevin-shaw
Level 1
Level 1
In response to Joe Clarke

‎09-19-2013 05:55 AM

Below is output from the Pings on both types of gear.  I am not a regex guru, but I checked it against the both Ping outputs, using RegEx Coach and it appeared to match OK, but who knows...

3750

LAB_3750#ping 172.16.35.12

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.35.12, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

6509

LAB_6509#ping 172.16.35.12

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.35.12, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

One other difference I notice between the two environments is the the 3750 drops me into a +> shell, immediatly after I paste in the script, while the 6509 seems to keep me in a (tcl) prompt.  It also fails, in the same manner, if I launch it from a TFTP Server.

         

LAB_3750(tcl)#proc validate {args} {

+>

LAB_6509(tcl)#proc validate {args} {

LAB_6509(tcl)#

LAB_3750_CODE: 12.2(44)SE3

LAB_6509 CODE:  12.2(33)SXI4a

Thanks for the help!!

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to kevin-shaw

‎09-19-2013 08:31 AM

If you print $output on the 6509, what do you see?  You might want to consider switching to EEM Tcl to give you better control over the CLI sessions.

0 Helpful

Go to solution
kevin-shaw
Level 1
Level 1
In response to Joe Clarke

‎09-19-2013 09:18 AM

This just gets more and more strange...

I enabled the "puts $output" line and executed the TCL script.  On the 3750, all was well, in that it showed the Ping results.  On the 6509, I got a Command Authorization Failed message.  I verifeid that I have Priv 15 credentials (one would hope, in order to even run these scripts).  I see error messages in the Failed Attempts in ACS, from this host, each time I executed it..I compared the AAA sections of the configs and they match.

LAB_6509(tcl)#validate 172.16.35.12

Command authorization failed.

ADDRESS:        172.16.35.12

can't read "perc": no such variable

LAB_6509(tcl)#

Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port
09/19/2013,11:51:57,Author   failed,,Default Group,async,,User unknown,,tty2
09/19/2013,11:55:47,Author   failed,,Default Group,async,,User unknown,,tty2
09/19/2013,12:00:28,Author   failed,,Default Group,async,,User unknown,,tty2

Now, I have to admit, I have yet to even look into EEM or EEMv3, but I will do so.

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to kevin-shaw

‎09-19-2013 12:07 PM

This is what I thought.  Tclsh doesn't work with command authorization.  EEM does, however.  Your script could be updated to this to work with EEM:

::cisco::eem::event_register_none
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if { [catch {cli_open} result] } {
    error $result $errorInfo
}
array set cli $result
array set arg_einfo [event_reqinfo]
cli_exec $cli(fd) "enable"
foreach aname [array names arr_einfo -regexp {arg[0-9]+}] {
    set address $arr_einfo($aname)
set output [cli_exec $cli(fd) "ping $address"]
regexp {.*Success rate is (\d+) percent \((\d+)\/(\d+)\), round-trip  min/avg/max =\s+(\d+)\/(\d+)\/(\d+)} $output COMPLETE perc sent recieved  min avg max
puts "ADDRESS:\t$address"
puts "PERCENT:\t$perc"
puts "SENT:\t\t$sent"
puts "RECV:\t\t$recieved"
puts "MIN:\t\t$min"
puts "AVG:\t\t$avg"
puts "MAX:\t\t$max"
puts \n
}
catch {cli_close $cli(fd) $cli(tty_id)}       

You register this script my copying it to disk0:/policies, then configure:

event manager directory user policy disk0:/policies

event manager policy validate.tcl

Also configure:

event manager session cli username USER

Where USER is a AAA user authorized to run the ping command.

Then run it using:

event manager run validate.tcl ADDR [ADDR] ...

0 Helpful

Go to solution
kevin-shaw
Level 1
Level 1
In response to Joe Clarke

‎09-19-2013 02:03 PM

Thanks a ton for your help!!

I still can't understand how AAA allows the script on one type of hardware and not the other (3750 vs. 6509), but that may be for another time...

I will look into this option further, especially as I come up with ideas to leverage this technology, in order to enrich the network monitoring capabilities currently in place.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents