12-29-2009 02:10 PM - edited 03-04-2019 07:05 AM
Hi All,
I've been having an issue with my Cellular backup connection at my branches. The way it is setup, if the T1 goes down, the Cellular interface comes online and establishes a VPN connection. That part works fine, but after 2-3 minutes, the Cellular interface goes down. I did my homework and worked with Verizon and we determined it is my Netflow packets that are causing IP Source validation errors. Verizon has their service configured such that if any packets leave my route not sourced from the IP assigned to me OR destined for a private IP range, they axe the PPP session. I disabled netflow export and brought up the backup connection and it ran like a champ, no drops. Using IOS 12.4(24)T1. I went around and around with various TAC departments and finally found my issue:
CSCef28662
Turns out I can't encyrpt the netflow packets to go across the VPN. I was thinking about using EEM to disable flow export when the T1 drops and then reenable it when the T1 comes back online. I've tested this on one of my test routers:
event manager applet disableflow
event syslog pattern "Line protocol on Interface Loopback59, changed state to down"
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "no ip flow-export destination <IP> 2055"
action 1.3 syslog msg "Flow Disabled"
event manager applet enableflow
event syslog pattern "Line protocol on Interface Loopback59, changed state to up"
action 1.0 cli command "enable"
action 1.5 cli command "config t"
action 2.0 cli command "ip flow-export destination <IP> 2055"
action 2.5 syslog msg "Flow Enabled"
!
end
I've done shut / no shut on loopback59 and the applets function as expected (YAY!). I will update the Loopback59 part to resemble my acutal T1 interface later when i put this into production.
Question 1:
Is there a way I can combine the functionality i'm looking for into a single script? Or should I leave it as two seperate ones?
Question 2:
I noticed that the actions can be numbered as decimals. Does that mean they rely on the previous ones?
I.e. Command 1.1 relies on Command 1.0 being successful.
Solved! Go to Solution.
12-30-2009 07:08 PM
1. You could combine this into one policy given that you are running IOS 12.4(24)T1. However, your current policies might be easier for you to maintain moving forward. To combine the two, you would need to use regexp:
event manager applet netflow-toggle
event syslog pattern "Line protocol on Interface Loopback59, changed state to"
action 001 regexp "changed state to (down|up)" $_syslog_msg ignore state
action 002 if $state eq "down"
action 003 set newmsg "Flow Disabled"
action 004 set command "no ip flow-export destination
2055" action 005 else
action 006 set newmsg "Flow Enabled"
action 007 set command "ip flow-export destination
2055" action 008 end
action 009 cli command "enable"
action 010 cli command "config t"
action 011 cli command "$command"
action 012 cli command "end"
action 013 syslog msg "$newmsg"
2. Action labels are actually strings, and are executed in lexicographical or dictionary order. Therefore "action 10.0" will be executed after "action 1.0" and not after "action 9.0".
12-29-2009 02:37 PM
To get a quick answer to this you should move this post to Network Management where Joe Clarke, the Cisco expert on all things EEM hangs out. You can move the post using the Actions link on the right hand side box.
Jon
12-29-2009 04:15 PM
1. i would suggest you to leave it separate because each one working on differnt event
2. the sequence number important in term of the sequence of applying the action
for example if put it like
action 2.0 cli command "enable"
action 1.0 cli command "config t"
the EEM will sort it sequentially and then the conf t will be executed before enable and you will get a problem
good luck
if helpful Rate
12-30-2009 07:08 PM
1. You could combine this into one policy given that you are running IOS 12.4(24)T1. However, your current policies might be easier for you to maintain moving forward. To combine the two, you would need to use regexp:
event manager applet netflow-toggle
event syslog pattern "Line protocol on Interface Loopback59, changed state to"
action 001 regexp "changed state to (down|up)" $_syslog_msg ignore state
action 002 if $state eq "down"
action 003 set newmsg "Flow Disabled"
action 004 set command "no ip flow-export destination
2055" action 005 else
action 006 set newmsg "Flow Enabled"
action 007 set command "ip flow-export destination
2055" action 008 end
action 009 cli command "enable"
action 010 cli command "config t"
action 011 cli command "$command"
action 012 cli command "end"
action 013 syslog msg "$newmsg"
2. Action labels are actually strings, and are executed in lexicographical or dictionary order. Therefore "action 10.0" will be executed after "action 1.0" and not after "action 9.0".
12-30-2009 07:28 PM
Joe you are the expert of EEM and TCL
and this one was a very nice example
happy new year to you guys
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: