Solved: Re: EEM to disable netflow Export

rtjensen4 · ‎12-29-2009

Hi All,

I've been having an issue with my Cellular backup connection at my branches. The way it is setup, if the T1 goes down, the Cellular interface comes online and establishes a VPN connection. That part works fine, but after 2-3 minutes, the Cellular interface goes down. I did my homework and worked with Verizon and we determined it is my Netflow packets that are causing IP Source validation errors. Verizon has their service configured such that if any packets leave my route not sourced from the IP assigned to me OR destined for a private IP range, they axe the PPP session. I disabled netflow export and brought up the backup connection and it ran like a champ, no drops. Using IOS 12.4(24)T1. I went around and around with various TAC departments and finally found my issue:

CSCef28662

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCef28662

Turns out I can't encyrpt the netflow packets to go across the VPN. I was thinking about using EEM to disable flow export when the T1 drops and then reenable it when the T1 comes back online. I've tested this on one of my test routers:

event manager applet disableflow
 event syslog pattern "Line protocol on Interface Loopback59, changed state to down"
 action 1.0 cli command "enable"
 action 1.1 cli command "config t"
 action 1.2 cli command "no ip flow-export destination <IP> 2055"
 action 1.3 syslog msg "Flow Disabled"
event manager applet enableflow
 event syslog pattern "Line protocol on Interface Loopback59, changed state to up"
 action 1.0 cli command "enable"
 action 1.5 cli command "config t"
 action 2.0 cli command "ip flow-export destination <IP> 2055"
 action 2.5 syslog msg "Flow Enabled"
!
end

I've done shut / no shut on loopback59 and the applets function as expected (YAY!). I will update the Loopback59 part to resemble my acutal T1 interface later when i put this into production.

Question 1:

Is there a way I can combine the functionality i'm looking for into a single script? Or should I leave it as two seperate ones?

Question 2:

I noticed that the actions can be numbered as decimals. Does that mean they rely on the previous ones?

I.e. Command 1.1 relies on Command 1.0 being successful.

Joe Clarke · ‎12-30-2009

1. You could combine this into one policy given that you are running IOS 12.4(24)T1. However, your current policies might be easier for you to maintain moving forward. To combine the two, you would need to use regexp:

event manager applet netflow-toggle

event syslog pattern "Line protocol on Interface Loopback59, changed state to"

action 001 regexp "changed state to (down|up)" $_syslog_msg ignore state

action 002 if $state eq "down"

action 003 set newmsg "Flow Disabled"

action 004 set command "no ip flow-export destination 2055"

action 005 else

action 006 set newmsg "Flow Enabled"

action 007 set command "ip flow-export destination 2055"

action 008 end

action 009 cli command "enable"

action 010 cli command "config t"

action 011 cli command "$command"

action 012 cli command "end"

action 013 syslog msg "$newmsg"

2. Action labels are actually strings, and are executed in lexicographical or dictionary order. Therefore "action 10.0" will be executed after "action 1.0" and not after "action 9.0".

View solution in original post

Jon Marshall · ‎12-29-2009

To get a quick answer to this you should move this post to Network Management where Joe Clarke, the Cisco expert on all things EEM hangs out. You can move the post using the Actions link on the right hand side box.

Jon

Marwan ALshawi · ‎12-29-2009

1. i would suggest you to leave it separate because each one working on differnt event

2. the sequence number important in term of the sequence of applying the action

for example if put it like

action 2.0 cli command "enable"

action 1.0 cli command "config t"

the EEM will sort it sequentially and then the conf t will be executed before enable and you will get a problem

good luck

if helpful Rate

Joe Clarke · ‎12-30-2009