Thursday, May 14, 2009

More EEM scripts...

Here are some more EEM scripts that I had saved up from a while ago, might be useful to someone else...

### This applet will configure a new 2nd Generation VWIC card (upgrading from a 1st gen VWIC) after the box is powered back on (after the tech has inserted the new card). IOS version 12.4(10.8)T or greater is needed for the 'pattern' command, in line 1.5, to work. ###

event manager applet eem-2ndGen-VWIC-Install
event syslog pattern "*SYS-5-RESTART*"
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "card type t1 0 0"
action 1.3 cli command "card type t1 0 1"
action 1.4 cli command "exit"
action 1.5 cli command "copy start run" pattern "confirm"
action 1.6 cli command "running-config"
action 1.7 cli command "wr"


### This applet monitors the IpOutNoRoute OID, which is polled every 10 seconds. If the # of no routes is greater than 20/sec (average over two 10sec polls), it will generate a syslog message. The polled oid value is converted into an averaged rate over the last 20 seconds (average facter 2 * poll-interval 10 seconds). ###

event manager applet eem-IpOutNoRoute
event snmp oid 1.3.6.1.2.1.4.12 get-type next entry-op gt entry-val 20 entry-type rate average-factor 2 poll-interval 10
action 1.0 syslog priority critical msg "High IpOutNoRoutes current value is greater than 20/sec"


.Aug 8 14:33:09.062: %HA_EM-2-LOG: eem-IpOutNoRoute: High IpOutNoRoutes current value is greater than 20/sec


### This applet monitors the 5min CPU Average OID , which is polled every 30 seconds. If the CPU % value is greater than 25% it will generate a syslog message. ###

event manager applet eem-HighCPU
event snmp oid 1.3.6.1.4.1.9.2.1.58 get-type next entry-op gt entry-val 25 poll-interval 30
action 1.0 syslog priority critical msg "High CPU, current 5 min average is $_snmp_oid_val percent"


.Aug 8 14:35:59.180: %HA_EM-2-LOG: eem-HighCPU: High CPU, current 5 min average is 28 percent


### This applet monitors the ciscoMemoryPoolFree OID, which is polled every 30 seconds. If the free memory value is less than 512000 bytes it will generate a syslog message. ###

event manager applet eem-LowMemory
event snmp oid 1.3.6.1.4.1.9.9.48.1.1.1.6.1 get-type exact entry-op lt entry-val 512000 poll-interval 30
action 1.0 syslog priority critical msg "Low Free Memory, current available memory is $_snmp_oid_val bytes"

.Aug 8 14:28:57.889: %HA_EM-2-LOG: eem-LowMemory: Low Free Memory, current available memory is 499772 bytes


### This applet monitors a vlan interface to detect excessive input broadcasts. If the interface receives an average of 3000 broadcast packets per minute over a five minute period, a message will be sent to syslog. The number of broadcast packets received will be checked every 60 seconds, if the average of the 5 most recent values exceeds 3000, the event is triggered. ###

event manager applet BCAST-CHECK
event interface name "Vlan100" parameter receive_broadcasts entry-val 3000 entry-op gt entry-type rate poll-interval 60 average-factor 5
action 1.0 syslog msg "BROADCAST STORM DETECTED"

### This applet monitors for errors on an interface. If the rate of change averages to two or more over three 60 second polling cycles, then the interface is reset by doing a shut/no shut. The policy will re-arm after the rate has dropped below 1. ###

event manager applet int-rate-test
event interface name FastEthernet0/24 parameter input_errors entry-op ge entry-val 2 entry-type rate exit-op lt exit-val 1 exit-type rate average-factor 3 poll-interval 60
action 1.0 syslog msg "Interface input error rate for $_interface_name is $_interface_value; resetting..."
action 2.0 cli command "enable"
action 3.0 cli command "interface $_interface_name"
action 4.0 cli command "shut"
action 5.0 cli command "no shut"
action 6.0 cli command "end


-Mark

Wednesday, May 13, 2009

EEM Scripting

This is just sort of a quicky post on EEM...

I deal a lot of multicast at work, and if you've ever tried managing a multicast network you'd understand the pain and complexity it takes to manage it. Not too long ago I came up with an EEM script to monitor a multicast stream, and to send a syslog notification if it ever drops below a certain threshold:

event manager applet eem-LoBW-MulticastSender
event snmp oid 1.3.6.1.2.1.83.1.1.2.1.10.X.X.X.X.Y.Y.Y.Y.Z.Z.Z.Z get-type next entry-op lt entry-val 128000 entry-type increment poll-interval 10
action 1.0 syslog priority critical msg "Low bandwidth detected for the multicast group X.X.X.X source Y.Y.Y.Y (<100kbit/s)."


This script monitors the multicast group X.X.X.X source Y.Y.Y.Y (with source subnet of Z.Z.Z.Z), and if the stream ever falls below 128000 bit/s (~100kbit/s), it will send a critical syslog message (you can easily substitute other actions to take instead of syslog messages here too; i.e. send an email, trap, TCL script, run CLI commands, etc).

Can be very useful for proactive multicast monitoring if you understand the multicast application running through your network well enough to be able to set thresholds like above.

More to come with EEM....

-Mark

Passed the BCMSN!!

I just took the BCMSN test a couple hours ago, and passed it with ease! Pheeeww, just the ISCW left for my CCNP... here I come!!

The two things that apparently tripped me up according to my score was configuring dot1x port authentication (ok, I can understand this since it isn't apart of my everyday life), and inter-vlan routing, which I completely don't understand as there must have been something I glossed over. Oh well 90% is still pretty good in my book, on to studying for the ISCW.

Still waitin on getting a new computer (and possibly some rack equipment, we'll see though), but hopefully I can get some time to write some good articles up.

-Mark