EEM Scripting & CLI Automation
In a nutshell, Cisco's EEM (Embedded Event Manager) provides a way to automate device configuration based on real-time events.
Although I had learned about EEM a while back and knew of some of it's capabilities, I never really tried to use it... until recently when I was challenged to automate traffic failover between 2 available paths, without changing any of the IP addressing, routing, etc... It needed to be:
1) a simple but solid way of forcing all traffic to flow in and out of a particular interface at a branch site,
2) but it needed to failover to the secondary interface in the event there was a failover in the primary path,
3) could not be dependent on a failure of of directly connected interface (i.e. the device local port going down),
4) could not modify the existing IP addressing, routing metrics, routing protocols, etc.,
5) had to ensure traffic flowed in AND out the same interface (i.e. no Asymmetrical routing between the 2 links)
6) had to fail BACK once the preferred path was restored,
7) 24x7x365, all be automatic and without the need for user intervention.
The Solution:
1) IP SLA to monitor an upstream interface on the primary providers network via ICMP ping replies,
and
2) An EEM script to control the Admin UP/DOWN state of the secondary port, based on the loss or return of the ICMP replies on the "primary" path.
*Note, that this script was intended to be quick and simple, plus easily modified by the client that requested the solution. It was also intended that this be more or less an "introduction" to using EEM. As you begin to work with IP SLA and EEM, and the combination of both, you will see that there are MANY variables and combinations you can build into the scripts.
Here are the details:
On Branch_Router
configure IP SLA:
ip sla logging traps
ip sla 10
icmp-echo 192.168.255.11
timeout 1000
threshold 2
frequency 2
ip sla schedule 10 life forever start-time now
ip sla enable reaction-alerts
ip sla enable timestamp
track 1 ip sla 10
Now configure the EEM script:
conf t
event manager session cli username "EEM_SCRIPT"
event manager applet ISP-1_IS_DOWN
event syslog pattern "1 ip sla 10 state Up->Down"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "interface gig 0/2"
action 4.0 cli command "no shut"
action 5.0 syslog msg "EEM has Turned UP the BACKUP port"
event manager applet ISP-1_IS_DOWN
event syslog pattern "1 ip sla 10 state Down->Up"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "interface gig 0/2"
action 4.0 cli command "shut"
action 5.0 syslog msg "EEM has Turned DOWN the BACKUP port"
end
And that's it... when the ICMP pings fail, they'll generate the syslog message that EEM is looking for, and then EEM will make the associated configuration changes!
- Router_Branch has 2 connections to 2 separate ISP's.
- The preferred path is via ISP-1, the secondary path is via IPS-2.
- Both ISP's have CE routers that we do not have any control over or visibility into.
- IP SLA will monitor reachability to the first hop inside IPS-1's network.
- The connection to ISP-2's CE router will be Administratively shutdown.
- When Branch_Router detects ICMP drops into ISP-1's network, we want to automatically turn UP the link to ISP-2.
- When ISP-1's network comes back, we want to automatically turn DOWN that interface again.
On Branch_Router
configure IP SLA:
ip sla logging traps
ip sla 10
icmp-echo 192.168.255.11
timeout 1000
threshold 2
frequency 2
ip sla schedule 10 life forever start-time now
ip sla enable reaction-alerts
ip sla enable timestamp
track 1 ip sla 10
Now configure the EEM script:
conf t
event manager session cli username "EEM_SCRIPT"
event manager applet ISP-1_IS_DOWN
event syslog pattern "1 ip sla 10 state Up->Down"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "interface gig 0/2"
action 4.0 cli command "no shut"
action 5.0 syslog msg "EEM has Turned UP the BACKUP port"
event manager applet ISP-1_IS_DOWN
event syslog pattern "1 ip sla 10 state Down->Up"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "interface gig 0/2"
action 4.0 cli command "shut"
action 5.0 syslog msg "EEM has Turned DOWN the BACKUP port"
end
And that's it... when the ICMP pings fail, they'll generate the syslog message that EEM is looking for, and then EEM will make the associated configuration changes!