Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Using SNMP traps to trigger EEM Applets

We need to be able to change the allowable line rate going into a switch from a Linux Mgt Server using snmp.   Was trying to use EEM applets which would be triggered via snmp traps from the server. We need to change it up to ten different rates.  I can't seem to get the applets to trigger.   Any help would be appreciated - thanks.

class-map match-all CLASS_SLAP
match access-group name ACL_SLAP
!!
policy-map OCA-RATE-LIMIT
class CLASS_SLAP
  police 1900000 100000 exceed-action drop

interface GigabitEthernet1/0/20
switchport access vlan 10
switchport mode access
speed 100
duplex full
service-policy input OCA-RATE-LIMIT

snmp-server community <removed> RO 98
snmp-server community <removed> RW 99
snmp-server host <IP> version 2c <removed>  snmp
snmp-server host <IP>version 2c <removed>
snmp-server host <IP>version 2c <removed>
snmp-server host <IP>version 2c <removed>
snmp-server host <IP>version 2c <removed>
snmp-server manager

event manager applet OCA-limit-3M
event snmp-object oid 1.9.9.9.3 type gauge sync yes istable no
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 3000000 100000 exceed-action drop"
action 6.0 snmp-object-value event-id _event_id gauge 0 next-oid 1.9.9.9.3.0
action 7.0 exit 1
event manager applet OCA-limit-6M
event snmp-object oid 1.9.9.9.6 type gauge sync yes istable no
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 6000000 100000 exceed-action drop"
action 6.0 snmp-object-value event-id _event_id gauge 0 next-oid 1.9.9.9.26.0
action 7.0 exit 1
event manager applet OCA-limit-7M
event snmp-object oid 1.9.9.9.7 type gauge sync yes istable no
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 7000000 100000 exceed-action drop"
action 6.0 snmp-object-value event-id _event_id gauge 0 next-oid 1.9.9.9.7.0
action 7.0 exit 1
event manager applet OCA-limit-8M
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 8000000 100000 exceed-action drop"
action 6.0 snmp-object-value event-id _event_id gauge 0 next-oid 1.9.9.9.8.0
action 7.0 exit 1
event manager applet TESTTEST
event none
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 1900000 100000 exceed-action drop"
action 7.0 exit 1
!
end

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

Chokes how?  This should (and does) work.  The value of the _cli_result variable will always hold the output of the last CLI command executed.

34 REPLIES
Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

What you want to do is very possible (and I even wrote some internal documentation on this), but you have it configured incorrectly.  You have configured your policies to trigger off of SNMP polling operations (i.e. SNMP GET and SET requests), and not to trigger off of SNMP traps received by the device.  I will convert one for you, and that should give you the insight into what to do on the others.

event manager applet OCA-limit-3M

event snmp-notification oid 1.9.9.9. oid-val 3 op eq src-ip-address ADDR
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 3000000 100000 exceed-action drop"
action 6.0 cli command "end"

But, this is actually sub-optimal.  You could consolidate all of these applet policies into one.  Say you generate a trap with a varbind 1.9.9.9.1=1.  You then have two other varbinds, 1.9.9.9.2 and 1.9.9.9.3.  The .2 varbind contains the bits per second whereas the .3 varbind contains the burst rate.  Your new, unified policy would be:

event manager applet adjust-qos

event snmp-notification oid 1.9.9.9.1 oid-val 1 op eq src-ip-address ADDR

action 1.0 cli command "enable"

action 2.0 cli command "config t"

action 3.0 cli command "policy-map OCA-RATE-LIMIT"

action 4.0 cli command "class CLASS_SLAP"

action 5.0 cli command "police $_1_9_9_9_2 $_1_9_9_9_3 exceed-action drop"

action 6.0 cli command "end"

In both cases, ADDR is the IP address of the Linux box which will send the trap.

New Member

Re: Using SNMP traps to trigger EEM Applets

Joe - Thank you so much for the reponse. I've been trying to get this working but no joy so far - but very close though.  I can the applet's to trigger via SNMP GETS.  The problem I am having is what oid to use to do the gets.  I tried to set it up using 1.9.9.9.3 to 1.9.9.9.25 for the differnet applets.  some of them worked, some of them caused my switch to crash.  Not sure what's going on there.

Is sending Traps preferred over sending GETS to trigger the applets?  If you have any documentation that would be very helpful.

Sincerley

Jeffrey Watson

Lockheed

Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

I would STRONGLY encourage you to use traps over GET requests for now.  There is a bug when EEM and the snmp-object ED which I filed that will be fixed in an upcoming 15.x release.  Until then, GETs can be problematic.

If you follow my example in this thread, it should be easy to get traps to work.  Use the Net-SNMP snmptrap command to generate the traps with the customer OID varbinds.

New Member

Re: Using SNMP traps to trigger EEM Applets

Joe - Thanks - Will look at setting up for TRAPS instead GETS.  That's good to know.  

If we use TRAPS then do we have to use an oid that is a standard MIB or can we use 1.9.9.9.  

I'm not sure I can send a trap that isn't a standar MIB.

New Member

Re: Using SNMP traps to trigger EEM Applets

I'm sending the trap - its hitting siwtch. In the log I keep getting this message

fh_fd_snmp_proxy_incoming_trap_msgs:  trap received NO match src ip addr dest I/F Vlan 2, dest ip address

Its not triggering the event - any ideas?

Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

Make sure you have the SNMP Manager enabled on your device.  Configure:

snmp-server manager

If it's still not working, post your new running config.

Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

You can with Net-SNMP's snmptrap command.  For example:

snmptrap -v 1 -c public 172.18.123.33 enterprises.cisco 10.32.100.91 1 0 '' .1.9.9.9.1 i 1 .1.9.9.9.2 i 3000000 .1.9.9.9.3 i 100000
New Member

Re: Using SNMP traps to trigger EEM Applets

Joe - we did finally did get it working.  Thanks very much for your help.   It seems to work very well with just traps and I think its going to be a very useful tool to make some simple configuarion changes via our CEM manager.  The only thing left is to provide some status back to the CEM manager that we have changed the running config and what the new police rate is.  Do you think that's possible to put a line in EEM event that will send a snmp-trap back to a specific host (not our regular syslog server) whith information on the current rate from the output of "show policy-map".

event manager applet OCA-limit-3M
event snmp-notification oid 1.9.9.9. oid-val "3M" op eq
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 3000000 100000 exceed-action drop"
  action 7.0 exit 1

show policy-map | i police

I need to send this information to our management server as an snmptrap after the EEM event changes the running config


      police 3000000 100000 exceed-action drop

Thanks

Jeffrey Watson

Lockheed Martin

Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

Add:

action 8.0 snmp-trap strdata "police 3000000 100000 exceed-action drop"
New Member

Re: Using SNMP traps to trigger EEM Applets

action 8.0 snmp-trap strdata "police 3000000 100000 exceed-action drop"

ok thanks - I think I have to actually send them status off the switch and it has to go to a specific server.

Becuase if the event runs and somehow fails to change the running config - the eem script will send send

out a trap which indicates a change.

I saw this in another script

     action 100 cli command "show ip int brief | include Loopback0"

Is it possible to send the output of this action to a specific server?

     action 100 clie command "show policy-map | i police"

Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

Okay, I understand what you're asking.  Yes, you can send the output of this CLI command, but it may not look at attractive on your NMS.  Given your version of EEM, additional pos-processing of the policy-map output could be performed in applets if required.

Try the following, and if it looks good, then you can stay with it.  If not, we can look at additional options.

action 8.0 cli command "show policy-map | inc police"

action 9.0 snmp-trap strdata "$_cli_result"

New Member

Re: Using SNMP traps to trigger EEM Applets

Joe thanks

Is there any way to send the applet traps only to one host  and not to the our other snmp-servers which we normally log snmp to?

have you been able to get the $_cli_result to work ok.   I tried this before

action 8.0 cli command "show policy-map | inc police"
action 9.0 puts "$_cli_result"

and it always chokes on that line when I run it.

Jeff W

New Member

Re: Using SNMP traps to trigger EEM Applets

snmp-server host 10.10.10.1 readme event-manager

will this send only my event manager traps to this host and not send any of my traps to it?

Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

Yes, that host will only receive EEM traps.

Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

Chokes how?  This should (and does) work.  The value of the _cli_result variable will always hold the output of the last CLI command executed.

New Member

Re: Using SNMP traps to trigger EEM Applets

I think I got the $_cli_result to work.  I was trying to trigger it with an applet that has event none.  I had to use the trigger that is "event none sync yes" then it worked.   I'm not sure what "sync yes" does but it must be important.

Things are looking good.  One things that';s come is the users are complaining about poor network performance.   I checked the CPU on my switch that is runngin eem and whenever I send it a few triggers in a row the CPU pegs to 100%.   with no debug going.  My code follows.

My questions are :

     1.  Is that normal

     2.  Should I use some other oid value.  I ran snmp debug packets and I see alot status information in the log file.  Is there some benign generic oid that I should use to trigger the event rather than what I am?

event manager applet OCA-limit-3M

     event snmp-notification oid 1.9.9.9. oid-value "3M" op eq

     action 1.0 cli command "enable"

     ... more commands ...

     action 7.0 exit 1

snmptrap -v 2c readme -Ci    ""  1.9.9.9 1.9.9.9.9.0  s "3M"

Thank you for the help

Jeff

Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

The $_cli_result variable does not depend on the event detector.  You just need to make sure you perform at least one action cli before dereferencing the variable.

You should remove the action 7.0 line.  You don't need to exit with a failure.

As for the high CPU, without seeing which process is causing this, or seeing the "show stack" output for that process, I cannot comment.

New Member

Re: Using SNMP traps to trigger EEM Applets

ok thanks - my switch is a lab switch so all its doing is EEM right now.   I think probably the CPU is caused by which trap I am sending it from my host.  When I debug snding trap 1.9.9.9.0 I get all this in my log.   I've read where when sending traps to trigger events it really does't matter what MIB you use, but it seems to cause the swtich to process alot of data.  Is there any totally generic MIB I could use that would not do anything mor ethan trigger the event?

#event manager run TESTTEST
3M
3000000

MCCB8SW#
00:52:39: SNMP: Queuing packet to 10.10.108.101
00:52:39: SNMP: V2 Trap, reqid 23, errstat 0, erridx 0
sysUpTime.0 = 315992
snmpTrapOID.0 = cEventMgrMIB.0.2
ceemHistoryEventEntry.2.13 = 131
ceemHistoryEventEntry.3.13 = 0
ceemHistoryEventEntry.4.13 = 0
ceemHistoryEventEntry.5.13 = 0
ceemHistoryEventEntry.6.13 = 
ceemHistoryEventEntry.7.13 = applet: TESTTEST 
ceemHistoryEventEntry.9.13 = 0
ceemHistoryEventEntry.10.13 = 0
ceemHistoryEventEntry.11.13 = 3M
ceemHistoryEventEntry.13.13 = 0
ceemHistoryEventEntry.14.13 = 0
ceemHistoryEventEntry.15.13 = 0
ceemHistoryEventEntry.16.13 = 0
00:52:39: SNMP: Queuing packet to 160.108.10.111
00:52:39: SNMP: V1 Trap, ent cEventMgrMIB, addr 160.108.10.1, gentrap 6, spectrap 2
ceemHistoryEventEntry.2.13 = 131
ceemHistoryEventEntry.3.13 = 0
ceemHistoryEventEntry.4.13 = 0
ceemHistoryEventEntry.5.13 = 0
ceemHistoryEventEntry.6.13 = 
ceemHistoryEventEntry.7.13 = applet: TESTTEST 
ceemHistoryEventEntry.9.13 = 0
ceemHistoryEventEntry.10.13 = 0
ceemHistoryEventEntry.11.13 = 3M
ceemHistoryEventEntry.13.13 = 0
ceemHistoryEventEntry.14.13 = 0
ceemHistoryEventEntry.15.13 = 0
ceemHistoryEventEntry.16.13 = 0
00:52:40: SNMP: Queuing packet to 10.10.108.101
00:52:40: SNMP: V2 Trap, reqid 25, errstat 0, erridx 0
sysUpTime.0 = 316006
snmpTrapOID.0 = cEventMgrMIB.0.2
ceemHistoryEventEntry.2.14 = 131
ceemHistoryEventEntry.3.14 = 0
ceemHistoryEventEntry.4.14 = 0
ceemHistoryEventEntry.5.14 = 0
ceemHistoryEventEntry.6.14 = 
ceemHistoryEventEntry.7.14 = applet: TESTTEST 
ceemHistoryEventEntry.9.14 = 0
ceemHistoryEventEntry.10.14 = 0
ceemHistoryEventEntry.11.14 = 3000000
ceemHistoryEventEntry.13.14 = 0
ceemHistoryEventEntry.14.14 = 0
ceemHistoryEventEntry.15.14 = 0
ceemHistoryEventEntry.16.14 = 0
00:52:40: SNMP: Queuing packet to 160.108.10.111
00:52:40: SNMP: V1 Trap, ent cEventMgrMIB, addr 160.108.10.1, gentrap 6, spectrap 2
ceemHistoryEventEntry.2.14 = 131
ceemHistoryEventEntry.3.14 = 0
ceemHistoryEventEntry.4.14 = 0
ceemHistoryEventEntry.5.14 = 0
ceemHistoryEventEntry.6.14 = 
ceemHistoryEventEntry.7.14 = applet: TESTTEST 
ceemHistoryEventEntry.9.14 = 0
ceemHistoryEventEntry.10.14 = 0
ceemHistoryEventEntry.11.14 = 3000000
ceemHistoryEventEntry.13.14 = 0
ceemHistoryEventEntry.14.14 = 0
ceemHistoryEventEntry.15.14 = 0
ceemHistoryEventEntry.16.14 = 0

New Member

Re: Using SNMP traps to trigger EEM Applets

I was trying to parse the output of "show polic-map | i police"  so that I can put the rate in a variable and send it off as a trap.   In this case it would be 6MegB.  Actions 6.2, 6.3, 6,4, 6.5 were supposet o do that - but no joy. Any idea on what is wrong with the syntax. It just needs to pick out the first 7 to 8 digits.

event manager applet OCA-limit-6M
event none sync yes
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 6000000 100000 exceed-action drop"
action 5.1 cli command "exit"
action 6.0 puts "6M"
action 6.1 snmp-trap intdata1 6000000 strdata ""
action 6.2 cli command "show policy-map | i police"
action 6.3 regexp " [0-9] " "$_cli_result" result
action 6.4 puts "$_cli_result"
action 6.5 snmp-trap strdata "$result"

Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

You want:

 action 6.2 cli command "show policy-map | i police"
action 6.3 regexp "([0-9]+)" "$_cli_result" result
action 6.4 puts "$_cli_result"
action 6.5 snmp-trap strdata "$result"
Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

This is coming from outgoing EEM traps.  It doesn't matter what trap you send to the device.  A generic one wouldn't have any different effect from a customized one.

In this case, it looks like you have multiple trap hosts defined, and all of them are receiving the EEM traps (i.e. you do not have additional trap keywords on them to limit the trap types they receive).

In order to get to the root of the CPU problem, you would need to provide the output of "show proc cpu sorted" when the CPU is pegged.

New Member

Re: Using SNMP traps to trigger EEM Applets

ok thank - I tried that exact thing. It always chokes on line 6.4. If I take out 6.4 it chokes on 6.5.  Here is script and output.

event manager applet OCA-limit-6M
event none sync yes
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 6000000 100000 exceed-action drop"
action 5.1 cli command "exit"
action 6.0 puts "6M"
action 6.1 snmp-trap intdata1 6000000 strdata ""
action 6.2 cli command "show policy-map | i police"
action 6.3 regexp "([0-9]+)" "$_cli_result" result
action 6.4 puts "$result"
action 6.5 snmp-trap strdata "$result"

#event manager run OCA-limit-6M
#6M

router#
00:06:40: %HA_EM-3-FMPD_UNKNOWN_ENV: fh_parse_var: could not find environment variable: result
00:06:40: %HA_EM-3-FMPD_ERROR: Error executing applet OCA-limit-6M statement 6.

Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

Post the full output of "show policy-map | i police".

New Member

Re: Using SNMP traps to trigger EEM Applets

The first number will be either 3,6, 7,8,10, 12, 18, 20,,22,24,25 Meg.   So it could be 7 or 8 digits.

router#show policy-map | i police
      police 6000000 100000 exceed-action drop
router#

Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

This works for me:

event manager applet OCA-limit-6M
event none sync yes
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 6000000 100000 exceed-action drop"
action 5.1 cli command "end"
action 6.0 puts "6M"
action 6.1 snmp-trap intdata1 6000000 strdata ""
action 6.2 cli command "show policy-map | i police"
action 6.3 regexp "police ([0-9]+)" $_cli_result whole result
action 6.4 puts "$result"
action 6.5 snmp-trap strdata "$result"

Note: you had an "exit" in there where you needed to have an "end".

New Member

Re: Using SNMP traps to trigger EEM Applets

Any idea if thsi book is giong to be any good.  or do you know any others that have details on EEM and TCL scripting as applied to cisco. I've got a feeling I'm going to need some references.

TcL Scripting for Cisco IOS (Networking Technology) [Paperback]

Raymond Blair (Author), Arvind Durai (Author), John Lautmann (Author)


Cisco Employee

Re: Using SNMP traps to trigger EEM Applets

I was one of the technical editors of this book, and it will be quite useful to people wanting to learn Tcl on IOS.  It does cover some EEM examples as well, but not much in the realm of applets.

New Member

Re: Using SNMP traps to trigger EEM Applets

ok thanks - I entered the code as shown for hte 6M. The first two times i tried it I got the same errors. Then it worked.  So I added same action 6 code to the 3M segment - no joy there. same errors.  Do I have to initialize the variable "result" or something. 

router#event manager run OCA-limit-6M
6M
6000000

router#event manager run OCA-limit-3M
3M

router#
00:48:03: %HA_EM-3-FMPD_UNKNOWN_ENV: fh_parse_var: could not find environment va
riable: result
00:48:03: %HA_EM-3-FMPD_ERROR: Error executing applet OCA-limit-3M statement 6.

event manager applet OCA-limit-3M
event none sync yes
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 3000000 100000 exceed-action drop"
action 5.1 cli command "exit"
action 6.0 puts "3M"
action 6.1 snmp-trap intdata1 3000000 strdata ""
action 6.2 cli command "show policy-map | i police"
action 6.3 regexp "police ([0-9]+)" "$_cli_result" whole result
action 6.4 puts "$result"
action 6.5 snmp-trap strdata "$result"
action 9.0 exit 1

event manager applet OCA-limit-6M
event none sync yes
action 1.0 cli command "enable"
action 2.0 cli command "config terminal"
action 3.0 cli command "policy-map OCA-RATE-LIMIT"
action 4.0 cli command "class CLASS_SLAP"
action 5.0 cli command " police 6000000 100000 exceed-action drop"
action 5.1 cli command "exit"
action 6.0 puts "6M"
action 6.1 snmp-trap intdata1 6000000 strdata ""
action 6.2 cli command "show policy-map | i police"
action 6.3 regexp "police ([0-9]+)" "$_cli_result" whole result
action 6.4 puts "$result"
action 6.5 snmp-trap strdata "$result"
action 9.0 exit 1

New Member

Re: Using SNMP traps to trigger EEM Applets

Joe - I think tis working. You're right I have an "exit" and needed an "end" . Didn't have t

hat inthe 3M segment. Seems to work ok. I'm outof you.

Thanks for all your help - will probably have to ask you somestuff about het high cpu next week.

have a great weekend

Jeffrey Watson

Lockheed Martin

1873
Views
0
Helpful
34
Replies
CreatePlease to create content