Blog Home | INE Home | Members | Contact Us | Subscribe

Free Resources View Archives All Access Pass CCIE Bloggers

17 Embedded Event Manager: Not just for breakfast …

Dec Search
Posted by INE Instructor in CCIE 4.0,CCIE General,CCIE R&S,CCIE Security,CCIE SP,Cisco Certification 11 Comments Search
General
Submit
Using an IPS Sensor, we can dynamically apply rate limiting/policing on a router interface, based on a
signature match or an event action over-ride, which is generated on the sensor appliance. Ok, I know
there is no Sensor Appliance in the RS lab, but what if we need to trigger a rate limit of specific traffic, Tw eet
Categories
destined to a router, based on current conditions on that router, such as transmit or receive loads on an interface. Select Category

This is a job for, da dada dahhh: Embedded Event Manager (EEM). In this example we will create a service policy
which we will apply to the control plane based on a interface threshold being exceeded. Full labs on Embedded
Event Manager can be found in our RS v5 Vol1 workbook in “System Management“. Let’s break down the
individual steps, first for the control plane policing policy, and then the EEM to apply it.

We will first create a policy map, which calls on a class map, which calls on an ACL. In this class map, we are going
to identify ICMP, by referencing an access list. So first we create the access list, and we will name it ICMP.

ip access-list extended ICMP

permit icmp any any

Now that the access list is created, we will create the class map called ICMP which will be referencing the access
list of the same name.

class-map match-all ICMP

match access-group name ICMP
exit

Next we will create the policy map, and for convenience we will name it ICMP (as well). This policy map will
reference the class map, and specify policing at 8000 bits per second with a burst rate of 1000 bytes.

policy-map ICMP
class ICMP
police 8000 1000

Ok, so now for the EEM part of the configuration. First, we will create our event manager applet. In this applet we
will be referencing serial 0/0, and we will be looking for the received load to be greater than 25. The 25 refers to
25 out of a possible 255 as reported by the interface. Once the ~10% is exceeded, the CLI commands
implemented in our applet will be executed. The CLI commands will simply apply the service policy to the logical
control plane host interface on the router. By doing this, any ICMP traffic destined TO the router, will be policed,
regardless of which interface the traffic is received on. The EEM policy will also generate a syslog message.
There are additional options which we could include, such as sending SNMP traps, e-mail messages and so forth.

event manager applet LOAD CCIE Bloggers

event interface name Serial0/0 parameter rxload entry-val 25 entry-op gt entry-val-is-increment false
Brian Dennis CCIE #2210
poll-interval 60
Routing & Sw itching
action 0.0 cli command "enable" ISP Dial
action 1.0 cli command "configure terminal" Security
action 2.0 cli command "control-plane host" Service Provider
Voice
action 3.0 cli command "service-policy input ICMP"
Brian McGahan CCIE #8593
action 4.0 syslog msg "Just Applied Control Plane Policy to Limit ICMP"
Routing & Sw itching
exit
Security
Service Provider
At the interface level we will specify a bandwidth statement of 64, which will allow us to trigger the 25/255 much Petr Lapukhov CCIE #16379
quicker. We will also set the load interval to a lower value than the default of five minutes so that the average will Routing & Sw itching
increase faster. Security
Service Provider
Voice

interface ser 0/0 Mark Snow CCIE #14073

bandwidth 64 Voice
Security
load-interval 30
end

Popular Posts
The following debug, will give us the Howard Cosell play-by-play of exactly what’s happening.
CCDE Open Study Session San

Jose - July 30th to August 2nd

R2#debug event manager action cli Cisco Live INE Customer
Debug EEM action cli debugging is on
Appreciation Party - THANK

YOU!!
To view the details of the interfaces that are registered with an event manager policy, we would use the following
show command. New CCIE SPv3 Workbook

Updates

R2#show event manager policy registered event-type interface

No. Class Type Event Type Trap Time Registered Name
1 applet user interface Off Thu Feb 28 18:51:41 2002 LOAD
name {Serial0/0} parameter {rxload} entry_op gt entry_val 25 entry_val_is_increment FALSE
poll_interval 60.000
maxrun 20.000
action 0.0 cli command "enable"
action 1.0 cli command "configure terminal"
action 2.0 cli command "control-plane host"
action 3.0 cli command "service-policy input ICMP"
action 4.0 syslog msg "Just Applied Control Plane Policy to Limit ICMP"

To verify what the current load is on the interface, we can use the command below.

R2#show int ser 0/0 | inc rxload

reliability 255/255, txload 1/255, rxload 1/255

Once the control plane policy has been applied, the actual details of how many packets have been permitted and
denied by that policy will be shown by the command below.

R2#show policy-map control-plane host

R2#

From the commands above, you’ll notice that the current load is at one, and there is no policy currently applied to
the control plane. Let’s go to the neighboring router and generate some traffic to trigger event manager and
the applet that we just created.

Neighbor-R3#ping 150.1.2.2 size 500 repeat 1000 timeout 0

Type escape sequence to abort.

Sending 1000, 500-byte ICMP Echos to 150.1.2.2, timeout is 0 seconds:
......................................................................
......................................................................
......................................................................
.......................................................!.!............
......................................................................
.............................................!........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................
Success rate is 0 percent (3/1000), round-trip min/avg/max = 4/6/8 ms
Neighbor-R3#

Cool, we got 3 back, even with a timeout of 0 seconds. Now lets go back to R2, and look at some results.

R2#show int ser 0/0 | inc rxload

reliability 255/255, txload 58/255, rxload 58/255
R2#
! Note: It may take a few moments for the policy as polling occurs every 60 seconds ! ! Patience is a
virtue, and I want mine NOW !

%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : CTL : cli_open called.

%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2#enable
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2#configure terminal
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line. End with
CNTL/Z.
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config)#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2(config)#control-plane host
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config-cp-host)#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2(config-cp-host)#service-policy input ICMP
%CP-5-FEATURE: Control-plane Policing feature enabled on Control plane host path

%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config-cp-host)#

%HA_EM-6-LOG: LOAD: Just Applied Control Plane Policy to Limit ICMP
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : CTL : cli_close called.
R2#
%SYS-5-CONFIG_I: Configured from console by vty0
R2#

Back to the neighbor router, R3 to see how the policing of ICMP looks from the outside.

Neighbor-R3#ping 150.1.2.2 size 500 repeat 20

Type escape sequence to abort.

Sending 20, 500-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
!!.!!.!!.!!.!!.!!.!.
Success rate is 65 percent (13/20), round-trip min/avg/max = 4/12/24 ms
Neighbor-R3#

Back to R2 to view the output of the service policy.

R2#show policy-map control-plane host

Control Plane Host

Service-policy input: ICMP

Class-map: ICMP (match-all)

20 packets, 10080 bytes
5 minute offered rate 1000 bps, drop rate 0 bps
Match: access-group name ICMP
police:
cir 8000 bps, bc 1000 bytes
conformed 13 packets, 6552 bytes; actions:
transmit
exceeded 7 packets, 3528 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)

3 packets, 268 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R2#

Based on results, the service policy is now applied to the control-plane host sub-interface, and is limiting ICMP.
This example of EEM is like a single ice-cube, compared to a titanic sized iceberg of possibilities. My intention is
to introduce the topic, and encourage you to study it further.

I configured this demonstration using IOS Version 12.4(15)T10

Enjoy your studies, and have fun exploring the world of EEM.

Tags: ccie, ccie2.0, exam, knowledge, strategy, tips, update

Download this page as a PDF

About INE Instructor:

Find all posts by INE Instructor | Visit Website

You can leave a response, or trackback from your own site.

11 Responses to “Embedded Event Manager: Not just for breakfast …”

Dec ember 17, 2009 at 10:17 pm

Ronnie_Hitman

Excellent work from…

EEM has moved up in my Roadmap….

Thanks

Ronnie

Reply

Dec ember 17, 2009 at 11:13 pm

Amplebrain

Awesome post. EEM is a very handy tool for “automation” on cisco routers.

Reply

December 18, 2009 at 4:17 am

IK

awesome post!

two things to note:

0. it will not work with NBAR

class-map ICMP
match prot icmp

*Dec 18 17:05:27.323: %HA_EM-6-LOG: DETECT : DEBUG(cli_lib) : : OUT : Unsupported protocol in ‘match protocol’

1. it doesn’t require enable password/secret, even it is set:

r2(config)#enable sec cisco

*Dec 18 17:05:26.471: %HA_EM-6-LOG: DETECT : DEBUG(cli_lib) : : IN : r2>enable

*Dec 18 17:05:26.635: %HA_EM-6-LOG: DETECT : DEBUG(cli_lib) : : OUT : r2#

Reply

December 18, 2009 at 4:23 am

nice

Nice.

Reply

December 18, 2009 at 7:29 am

INE Instructor

IK- Great comments about the NBAR and enable secret. Thanks for passing that along.

Reply

Dec ember 18, 2009 at 10:01 am

IK

Youre are welcome!

one thing that I forgot – the service-policy will remain forever untill one manually delete it. Is there any way to remove it automatically
or we should consider writing another applet that will measure interface load?

Reply

December 18, 2009 at 2:36 pm

Christian Biasibetti

Very nice … Thanks !!!

Reply

May 3, 2012 at 5:56 pm

Anderson

Good idea Rick. Glad to hear from you. Honestly I haven’t even looked at the CCNA Security stuff yet but Im detinifely not
opposed to writing about it. I’ll have to take a look.

Reply

Dec ember 20, 2009 at 11:31 pm

Ruhann

Great article.
Can think of a couple ways to use eem.

Reply

March 18, 2010 at 1:14 pm

Nate

A little late to this party, but one thing I noticed while running through this. In the applet, you need to spell the interface exactly as it
appears when you do a show interface “…”. I had a policy monitoring fastethernet0/0 and it wouldn’t run, it needed to be
FastEthernet0/0, capitalization counts!

Reply

March 22, 2010 at 12:05 pm

IKE Phase 1 Riddle, and Bob needs your help! - CCIE Blog

[...] had also improved his skills in MPLS, Multi-Protocol BGP, IOS IPS, EEM, and many other areas by using the sweet blog articles
at INE. (Shameless Plug [...]

Reply

Leave a Reply

Name (required)

Mail (will not be published) (required)

Submit Comment

Congratulations to our IEOC Halfw ay through the first day of the Get the best #CCIE training now ! Time
Community Winners: Bassam Alkaff, #CCIE Security bootcamp w ith Brian is running out, just under 8 hours
CarlosG2, Qqabdal, Markus Wirth! McGahan, CCIEx3 #8593! remaining to save over 40% on
twitter.com/inetraining @brianmcgahan RS,VO,SC,SP. http://t.co/nrQVolVu
http://t.co/uxS0ZDS2

© 2011 INE, Inc., All Rights Reserved

pdfcrowd.com