EEM

Event driven (don't panic i will explain this term in detail) actions to be taken by router automatically. 1 such issue
was with the fiber link that we have acquired on our hub site. Now due to some misconfiguration at ISP end, we
started receiving broadcast storm on that interface and our router was near to crash but we somehow managed to
log on to the router and figured out it was the broadcast and shut down the interface. Could this be done through
any automatic way ? YES BUY THIS BLAH BLAH NMS AND IT WILL DO THE WORK FOR YOU :-) No i dont want to buy
any NMS, can it still be possible, my answer is YES and EASILY ;-).

Ok what i want my router to do if a special event occurs ? OK first. what is a event ?

See, ignoring the actual technical details Event is simply an activity that occurs on the router. For example

1) Router restarts !!
2) Neighbor adjacency of EIGRP/OSPF/BGP goes up/down.
3) Any interface goes down/up
4) If the CRCs on a given interface reach a user defined threshold
5) If the received broadcasts on an interface reach a user defined threshold
6) And many more !!!

Ok now what shall a router do if any of the above events occur ? right now it does nothing (atleast in my case ;-) )
its a sitting duck, router does'nt know that excessive broadcast on a interface is risky until i tell it to take some
action on it right ? What action might that be ? the best is to shut the interface immediately and monitor it, as
soon as the broadcast storm is stopped re-enable the interface AUTOMATICALLY while i can have a cup of tea with
my colleague ;-)

Ok This is where EEM (aka Embedded Event Manager). Now lets get a bit technical.

Normally Router does'nt take any actions on its behalf when an event occurs. The more complex actions you like to
take the more advance NMS you might require. Taking backup periodically or shutting an interface or clearing nat
translations or executing some other command on a router when a specific event occurs is not an easy job even
through an NMS. The most difficult part is the configuration required to force the router to throw an alert which is
normally based on snmp variables or MIB OIDs and then you have to configure the NMS to catch it and perform
the blah blah action. As long as you have an extensive training of your NMS i think its a very difficult job. I realized
it when i was evaluating Orion and maybe it was my fault or weakness i wasnt able to achieve router sending alerts
while Orion catching and performing action on it, the support on this was very limited so i didnt spend much time.

Keeping all the core technical stuff aside. EEM works in mostly two ways

1) When an EVENT occurs, perform x action.

2) Time based events. Carry out x action on a particular time, whether periodic or once.

Now how to define events and how to define actions to take place.

Objective No.1) Take Router's startup-config backup on 15th of every month.

Now this is a time-based task. So lets dive into the configuration.

1) R1(config)#event manager applet My_router_backup

This command simply enables the EEM applet My_router_backup. It will be in execution as soon as you exit the
applet configuration mode. If you didnt define any event, the applet will be deleted, if you didnt define any action
and exit, it will give you a warning. This applet is of no use untill you define an event to occur !!

2) R1(config-applet)#event ?
application Application specific event
cli CLI event
config Configuration policy event
counter Counter event
env Environmental event
gold GOLD event
interface Interface event
ioswdsysmon IOS WDSysMon event
none Manually run policy event
oir OIR event
resource Resource event
rpc Remote Procedure Call event
snmp SNMP event
snmp-notification SNMP Notification Event
syslog Syslog event
tag event tag identifier
timer Timer event
track Tracking object event

As you can see, you can define different types of events here. like, Interface events help you monitor a particular
interface value (eg. broadcast received, input rate in bps/pps, output rate in bps/pps etc). Syslog is the most
common and easy, it helps you monitor a particular syslog msg and as soon as that syslog message appears on a
router you can define an action based on that (dont worry, i will provide an example of this). I hope by now you
may have get some idea as to what an event does.

We will select timer since our action is not based on any particular event but rather periodic.

2) R1(config-applet)#event timer ?
absolute Absolute timer event
countdown Countdown timer event
cron Cron timer event
watchdog Watchdog timer event

This is easy although it doesnt seem to but its easy trust me on that ;-).

Absolute time means that exactly when this time happens !! now you know that 3:06:23 11 march 2009 will only
come once in your life right ? this is what absolute is ;-). It will occur once and only once at the time that you have
defined. But since our task is to do on repeated basis. The timer that we will use is cron timer. Cron entries require
some indepth explanation so lets go for it

Cron entry is composed of 5 fields and written in this form "x x x x x"

1) Min 0-59
2) Hour 0-23
3) Date 1-31
4) Month 1-12
5) Day of week 0-7

Now if i want to say take backup on 15th of every month at 18:00 pm. So lets start from down to up.

1) Min is 00 -> 0
2) Hour is 18 (so enter as it is)
3) Date is 15
4) Month is * (when we cant specify any value, we can simply write * there which would mean no matter which
month is it)
5) Day of week * ( we are putting * here since we have already defined the day through date 15, so whichever day
it is )

A little bit about "*". It means "from first to last". I will show the example a bit later in this post. Keep reading...

Therefore the cron_entry will be "0 18 15 * *", which mean on 15th of every month at 18:30 pm this action will
take place.

2) R1(config-applet)#event timer cron cron_entry "0 18 15 * *"

Ok now the event is defined. Its time to define the action that is to occur when this time check is met. This is the
most interesting part of it.

3) R1(config-applet)#action <label/line no.>

A bit about the labels. Nothing complex, you can use any alphabets and numerics here. Keep it simple, if alphabets
are allowed here, that doesnt make it obligatory to use them :-). So just forget you can use alphabets and stick to
numbers for indexing purpose. Its purpose is of line numbers. So you can use them like this action 1, action 2,
action 3 and so on ;-).

3) R1(config-applet)#action 1 cli commmand "enable"

This is where the fun starts ;-). After action 1 when you will issue ? you will see a number of different parameters
but to save space i have chosen cli which has only 2 parameter -> command and pattern. First using command you
can enter any command you like router to configure automatically as a result of above event !! Remember ANY
COMMAND YOU WANT ;-). I am writing the entire set and after that i will explain it as whole.

4) R1(config-applet)#action 2 cli command "copy startup tftp:" pattern "remote host"

5) R1(config-applet)#action 3 cli command "10.0.0.1" pattern "filename"
6) R1(config-applet)#action 4 cli command ""
Ok now dont panic, its all very easy. first let me copy paste the process when i do it manually on the router

R1#copy startup-config tftp:

Address or name of remote host []? 10.0.0.1
Destination filename [r1-confg]?
!!

Now see it carefully. Whats interesting about copy start tftp command ? it REQUIRES input from user, this is where
pattern comes in. Through pattern command you tell the <action> that after executing command you shall see
SOMETHING like what is defined in the pattern. Now if you see, what will come after i type copy start up tftp, it
displays this asking for input

Address or name of remote host []?

now in pattern i could have given this whole statement but its unnecassary, since pattern requires regexp so you
can take any word or 2 and mention it in pattern, it will be enough. Pattern are only necassary when the command
requires input, if it doesnt then dont use patterns.
In 6) i have just given "", this means an "enter" because i want to use the default name instead of defining my own.
If i want to define my own then the statement would be something like this

6) R1(config-applet)#action 4 cli command "R1-first-config"

Keep in mind here that its a linear sequence of operation just like an access-list from top to bottom. All the actions
will be executed till the applet exits. Now we can use if/else conditions and loops but its too advance to talk about
them here.

The applet till here is fine. You dont need anything else. But there is 1 more thing i would like to show here.

NOTE: There is no doubt 1 issue with the above configuration. Pattern command is not available in earlier IOS even
in 12.4. I dont know in which exact release it was present but its safe to download 12.4(20). Its there for sure :-)

HOW TO GENERATE YOUR OWN SYSLOG MSGS.

Why do i need to generate my own syslog msgs ? well the answer varies based on diverse requirements. Over
here, if i have a syslog server, it will be easy for me to see next day logs of 20 routers backup copied successfully.
Although its possible that due to some issue the backup might not have been copied correctly so its always good to
verify the backup and dont rely on syslog msgs only :-)

7) R1(config-applet)#action 5 syslog msg "BACKUP IS COPIED, HURRAYYYY"

Now all this seems to be coming from some other world but trust me, the more indepth you go the more you will
like it. Once you get a grab on it, you will love making your own policies, all you need to do

1) Refer cisco site for EEM configuration guide titled "Writing Embedded Event manager policies in Cisco IOS"
2) Read it and practice a lot to make the most out of it.

I have tried a few applets and they were working fine after a bit trial and error approach. It virtually eliminates the
need of any expensive NMS if for example you are just starting as an enterprise with low budget then you can still
get virtually anything that a normal/high NMS can provide. but ofcourse you still need them to monitor your
bandwidth utilization through netflow or router resources graph, inventory management etc. But for the time
being you can use to cover up a lot of necassary operations.

I have written this tutorial keeping beginners in mind since this topic is quite difficult to start with. So I have taken
a very novice approach in explaining so that every one can understand it.

There is some real core techincal stuff about event manager server, policy director and all, but even if we ommit
those details it will not harm you. Once you have developed a sense of it, everything will be easy :-).

You dont have to read it till end in the first session. Till here is enough. Explore a little bit at your end and come
back since i will be playing a lot more with this stuff and surely logging it here ;-) Not to provide you with applets or
scripts but how to write them yourself !!!!

PART II

Ok lets look at the easiest problem faced by our fellow member. If you are reading this, then try it yourself first,
and see what solution you come up with. The original solution proposed was Time based ACLS, which is surely
achieving the same result, but through EEM we can do EXACTLY what member asked.
First step is to define the event which is again a time based periodic event that needs to take place on every 18:00
pm in evening and the interface should be re-enabled on lets say 8:00 am in the morning ( or any time you like ).
1) First define the applet

R1(config)#event manager applet Interface_down

R1(config-applet)#event timer cron cron-entry "0 18 * * *"

A bit about the cron entry. 18:00 pm means

Min -> 0
Hour -> 18
Date -> Every date -> *
Month -> Every month -> *
Day -> Every day -> *

Put * when you dont have any specific value in that field, simple :-).

R1(config-applet)#action 1 cli command "enable"

R1(config-applet)#action 2 cli command "config t"
R1(config-applet)#action 3 cli command "interface Fa 0/0"
R1(config-applet)#action 4 cli command "shut"
R1(config-applet)#action 5 syslog msg "Interface Fa0/0 is now down administratively" <- This is optional !

Now to bring up the interface on 8:00 am

R1(config)#event manager applet Interface_up
R1(config-applet)#event timer cron cron-entry "0 8 * * *"
R1(config-applet)#action 1 cli command "enable"
R1(config-applet)#action 2 cli command "config t"
R1(config-applet)#action 3 cli command "interface Fa 0/0"
R1(config-applet)#action 4 cli command " no shut"
R1(config-applet)#action 5 syslog msg "Interface Fa0/0 is now UP" <- again optional !

Ok lets talk about cron-entry and maxrun.

Its quite possible that the commands that you have entered are not correct. for example
action 1.6 "clear counters"

Clear counters require user input right ? we havent given it in pattern !! so the applet will hang and you will never
know its in the hung state IF you havent define some syslog msg to be displayed !( why ? i told that applet follows
the linear approach executing each n every action statement till the end so if it gets hanged somewhere along the
way it will not be able to reach the ending syslog msg, so always keep your alarming syslog msgs in the end). So
maxrun is the timer that will timeout the event if its in the hung position so no worries :-)

In cron entries you can use Ranges. Like if you want to say every monday on 8:00 pm is easy, we saw that above.
How about Every monday and Tuesday and Wednesday ?. It is a range right so we will use hypen "-" to depict the
range. But remember we have two types of days here. Day of week and day of month. So we are talking about
days of week means every Monday/Tues/WEd. So i will write it like this 1-3 in the last field of cron-entry.

cron-entry "* * * * 1-3"

Then we have Lists, mean discontiguous. Like on every Monday and thursday. The cron entry will contain 1,4 in the
last field. This is same for all other fields as well.

cron-entry "* * * * 1,4"

Then we have "/". This is usually used with ranges or *. this comes handy when you are collecting some router
characterstics like you have deployed a new service and want to monitor CPU utilization after every 3 hours on
Monday 16th march. The cron entry will be like this

cron-entry "* */3 16 3 *"

"/x" could be best described "after every x value", simple. Means if you want after every 2 minutes, you may write

0-59/2 or */2, they both are same since they both cover the same range.

Keep checking since i will be posting more :-)