Friday, 1 November 2013

IP SLA, Syslog and Embedded Event Manager

Cisco's Embedded Event Manager offers a huge amount of potential for introducing logic and control over your configurations.  Combining syslog and ip sla with EEM is quite a toolkit all told.  Recently I have used Event Manager and IP SLA to complete WAN cutovers with minimal intervention.  EEM can also be used quite effectively in remote situations where access will be terminated by virtual of the very change you wish to make - in addition to the usual "reload in 005" get-out-of-jail...

In this post we use the intervention of disgruntled and malicious employee, Dr Doom, by using his special login as a trigger.  As he logs in it creates a syslog message on R1.  Event Manager listens for this syslog and reconfigures the interface fa 0/0 from 1.1.1.1 to 2.2.2.1.  Over on R2 an ip sla is probing R1, when it goes down it configures its interface to 2.2.2.2, thus completing Dr Doom's mission to seize control of the network and gain corporate riches.  Ok, so its not a very realistic scenario.  Here is the, err, topology:


The important bits of config are below:

DR-MCCOY# 
username admin privilege 15 secret ...
username drdoom privilege 15 secret ...

track 1 ip sla 1 reachability

interface FastEthernet0/0
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto

ip sla 1
 icmp-echo 2.2.2.2
 frequency 10
ip sla schedule 1 life forever start-time now

event manager applet drdoom 
 event syslog occurs 1 pattern "user: drdoom"
 action 1.0 syslog msg "Dr DOOM IS COMING!"
 action 2.0 cli command "en"
 action 3.0 cli command "conf t"
 action 4.0 cli command "int fa 0/0"
 action 5.0 cli command "ip add 2.2.2.1 255.255.255.0"
 action 6.0 syslog msg "DR DOOM INTERFACE RECONFIGURED"

event manager applet drdoom-success 
 event track 1 state up
 action 1.0 syslog msg "MISSION ACCOMPLISHED"

And on R2, DR-KIMBLE:

track 1 ip sla 1 reachability
 default-state up
 delay down 20 up 5

interface FastEthernet0/0
 ip address 1.1.1.2 255.255.255.0
 duplex auto
 speed auto

ip sla 1
 icmp-echo 1.1.1.1
 frequency 5
ip sla schedule 1 life forever start-time now

event manager applet drdoom 
 event track 1 state down
 action 1.0 cli command "en"
 action 2.0 cli command "conf t"
 action 3.0 cli command "int fa 0/0"
 action 4.0 cli command "ip add 2.2.2.2 255.255.255.0"
 action 5.0 syslog msg "DR DOOM RECONFIGURED THIS ROUTER"

This worked pretty well, Dr Doom succeeded in his dastardly plan, but it barely scratches the surface of either IP SLA or EEM, merely one practical use.  Ping however is not a great decider to be reconfiguring links by, so use with caution - pings can be lost for any number of reasons.  If you tune the parameters though you can introduce a greater degree of certainty, in this case my track object has a delay to 20 seconds before it is considered down, with a frequency of 5 seconds.  If you were doing this during an agreed change window you could also impose life restrictions on the ip sla schedule so it only started at the right time.

Beware Dr Doom.


No comments:

Post a Comment

Found this pointless and feel you must comment? Really, there is no need, we are fully aware of the pointlessness of this article. But if you must...

Google+ Followers