EEM Applet - Teach your router to monitor itself

Faced with a small system and a smaller budget?  No space to put up a server that can collect performance data?  Does your corporate procurement process keep pushing the delivery of your monitoring system to the right? How about letting your router monitor itself?  This simple applet will run every 5 minutes and capture your 5 minute output rate and outbound queue drops for the specified interfaces.

!Tested with a Cisco 1841 running 15.1T Advanced Enterprise Services.
event manager applet CONGESTION-TRACKER
 event timer cron name every 5_MINUTES cron-entry "*/5 * * * *"
 action 1.0010     set interfaces "FastEthernet0/0,FastEthernet0/1/0"
 action 1.0020     cli command "enable"
 action 1.0030     foreach iface "$interfaces" ","
 action 1.0030.010  cli command "sho interfaces $iface | i Input queue"
 action 1.0030.020  set outdrop "0"
 action 1.0030.030  set result "none"
 action 1.0030.040  regexp "Total output drops: ([0-9]+)" "$_cli_result" result outdrop
 action 1.0030.050  cli command "sho interfaces $iface | i Output queue"
 action 1.0030.060  set outqueuedrop "0"
 action 1.0030.070  regexp "Output queue: [0-9]+/[0-9]+/([0-9]+)" "$_cli_result" result outqueuedrop
 action 1.0030.080  add $outdrop $outqueuedrop
 action 1.0030.090  set drops "$_result"
 action 1.0030.100  set outrate "0"
 action 1.0030.110  cli command "sho interfaces $iface | i output rate"
 action 1.0030.120  regexp "output rate ([0-9]+) bits" "$_cli_result" result outrate
 action 1.0030.130  puts "Output Update $iface: Current_rate=$outrate, Drops=$drops"
 action 1.0040     end
 action 1.0050     exit

It works by using the Cisco Embedded Event Manager Applet feature.  The event is schedule to run every 5 minutes using cron.  It then sets the interfaces that are going to be monitored as a variable named "interfaces".  You can add more interfaces by adding a comma and the new interface name.
The applet will run a loop for every interface in the array, interfaces, which it calls iface.  Show interfaces is then filtered to find the 5 minute output average and add together the two locations where outbound queue drops can be found.  The output is set into the syslog so if you do not have a syslog server, you may want to specify a larger logging buffer with "logging buffered XXXX".
The information can then be pulled over time and seen with "show log".  You can then run an external script to put the data into a database or graph.  Or read it directly if you are just interested to know what level or times you are having peek traffic.

One great modification to this may be to create a complementary applet that collects the averages out of the logs and emails them to you once daily.   Maybe a future post...

EEM Applet - Dynamic Tunnel Source Interface Changing

Previously, I had been faced with a problem with DMVPN; how to make it easy to switch between DHCP and static IP addresses for spokes that often change Internet providers?

In this scenario, I have dedicated interfaces, fa0/0 to use for static IP address assignment, and fa0/1 for DHCP.  Whenever, fa0/1 obtains a DHCP address, it cleans up the static routes, changes the tunnel source to fa0/1, and ensures the static route to the DMVPN hub, 172.31.84.67, is present.  Whenever, fa0/1 looses its link (including at boot time), the applet will cleanup the static routes, and change the tunnel source to fa0/0.  Someone with access to the spoke router will still have to assign the static IP to fa0/0 and add a route to the DMVPN hub, 172.31.84.67, to their gateway to gain connectivity, but that should be easier for the novice.

The applet can be used for other swapping the source interfaces of other types of tunnels but usually you would be able to use a loopback interface for this; in the case of DMVPN, however, the spoke router often cannot have the ISP create a route for the loopback's IP address destined to the spoke router.

!Tested with a Cisco 1841 running 15.1T Advanced Enterprise Services.
event manager applet DHCP_CONFIG
 event syslog pattern "DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/1 assigned DHCP address"
 action 1.0010 cli command "enable"
 action 1.0020 cli command "configure terminal"
 action 1.0030 cli command "no ip route 0.0.0.0 0.0.0.0"
 action 1.0040 cli command "no ip route 172.31.84.67 255.255.255.255"
 action 1.0050 cli command "ip route 172.31.84.67 255.255.255.255 dhcp"
 action 1.0060 cli command "interface Tunnel 1"
 action 1.0070 cli command "tunnel source FastEthernet0/1"
 action 1.0080 cli command "end"
 action 1.0090 puts "TUNNEL SOURCE HAS BEEN SET TO FA0/1 FOR DHCP"
 action 1.0100 exit

event manager applet STATIC_CONFIG
 event syslog pattern "LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down"
 action 1.0010 cli command "enable"
 action 1.0020 cli command "configure terminal"
 action 1.0030 cli command "no ip route 0.0.0.0 0.0.0.0"
 action 1.0040 cli command "no ip route 172.31.84.67 255.255.255.255 dhcp"
 action 1.0060 cli command "interface Tunnel 1"
 action 1.0070 cli command "tunnel source FastEthernet0/0"
 action 1.0080 cli command "end"
 action 1.0090 puts "TUNNEL SOURCE HAS BEEN SET TO FA0/0 FOR STATIC"
 action 1.0100 exit

This applet works similarly to the BACKUP-TO-USB applet, in that it looks for a pattern in logging to execute.  The applet, however, does not need to parse any command output; this makes it a very easy script to write.  Finally, it outputs what the script has done onto the console.  This output also shows up in "show log" so long as "logging buffered informational" has been turned on.

First EEM Applet - Autobackup to USB stick on a Cisco Router

Although, I've been scripting for a long time, I have not ever used the EEM and TCL features on Cisco devices to run a script on the device itself.  This is the first script that I've written that uses the embedded event manager applet features.  When "usbflash0:" is inserted into the router it will backup a copy of the running configuration to the filename HOSTNAME.txt.DATE.

Here is the script:

!Tested with a Cisco 1841 running 15.1T Advanced Enterprise Services.
file prompt quiet
event manager applet BACKUP-TO-USB
 event syslog pattern "usbflash0 has been inserted"
 action 10.000 cli command "enable"
 action 10.010 cli command "show clock"
 action 10.020 set month "none"
 action 10.030 set day "none"
 action 10.040 set year "none"
 action 10.050 set result "none"
 action 10.060 regexp "([A-Z][a-z][a-z]) ([0-9]+) ([0-9][0-9][0-9][0-9])" "$_cli_result" result month day year
 action 10.070 set hostname "hostname"
 action 10.080 cli command "show running-config | i hostname"
 action 10.090 regexp "hostname ([A-Za-z0-9._-]+)" "$_cli_result" result hostname
 action 20.000 cli command "copy system:running-config usbflash0:$hostname.txt.$month-$day-$year"

 action 99.999 exit

It works by scheduling the event to run whenever the log receives a message that usbflash0 has been inserted.  It will then parse the data from the show clock command and save the running configuration to the USB stick.  I had to run the global setting "file prompt quiet" to turn off extra prompting that verifies the destination file name; I'm sure this could be worked out but it was just a fun exercise and not something I planned on using in production.