Dec
17

Using an IPS Sensor, we can dynamically apply rate limiting/policing on a router interface, based on a signature match or an event action over-ride, which is generated on the sensor appliance.   Ok, I know there is no Sensor Appliance in the RS lab, but what if we need to trigger a rate limit of specific traffic, destined to a router, based on current conditions on that router, such as transmit or receive loads on an interface.

This is a job for, da dada dahhh: Embedded Event Manager (EEM).  In this example we will create a service policy which we will apply to the control plane based on a interface threshold being exceeded.  Full labs on Embedded Event Manager can be found in our RS v5 Vol1 workbook in  “System Management“.  Let’s break down the individual steps, first for the control plane policing policy, and then the EEM to apply it.

We will first create a policy map, which calls on a class map, which calls on an ACL. In this class map, we are going to identify ICMP, by referencing an access list. So first we create the access list, and we will name it ICMP.

ip access-list extended ICMP
 permit icmp any any

Now that the access list is created, we will create the class map called ICMP which will be referencing the access list of the same name.

class-map match-all ICMP
 match access-group name ICMP
 exit

Next we will create the policy map, and for convenience we will name it ICMP (as well). This policy map will reference the class map, and specify  policing at 8000 bits per second with a burst rate of 1000 bytes.

policy-map ICMP
 class ICMP
    police 8000 1000

Ok, so now for the EEM part of the configuration.  First, we will create our event manager applet. In this applet we will be referencing serial 0/0, and we will be looking for the received load to be greater than 25. The 25 refers to 25 out of a possible 255 as reported by the interface. Once the ~10% is exceeded, the CLI commands implemented in our applet will be executed. The CLI commands will simply apply the service policy to the logical control plane host interface on the router. By doing this, any ICMP traffic destined TO the router, will be policed, regardless of which interface the traffic is received on.   The EEM policy will also generate a syslog message. There are additional options which we could include, such as sending SNMP traps, e-mail messages and so forth.

event manager applet LOAD
 event interface name Serial0/0 parameter rxload entry-val 25 entry-op gt entry-val-is-increment false poll-interval 60
 action 0.0 cli command "enable"
 action 1.0 cli command "configure terminal"
 action 2.0 cli command "control-plane host"
 action 3.0 cli command "service-policy input ICMP"
 action 4.0 syslog msg "Just Applied Control Plane Policy to Limit ICMP"
 exit

At the interface level we will specify a bandwidth statement of 64, which will allow us to trigger the 25/255 much quicker. We will also set the load interval to a lower value than the default of five minutes so that the average will increase faster.

interface ser 0/0
 bandwidth 64
 load-interval 30
end

The following debug, will give us the Howard Cosell play-by-play of exactly what’s happening.

R2#debug event manager action cli
Debug EEM action cli debugging is on

To view the details of the interfaces that are registered with an event manager policy, we would use the following show command.

R2#show event manager policy registered event-type interface
No.  Class   Type    Event Type          Trap  Time Registered           Name
1    applet  user    interface           Off   Thu Feb 28 18:51:41 2002  LOAD
 name {Serial0/0} parameter {rxload} entry_op gt entry_val 25 entry_val_is_increment FALSE poll_interval 60.000
 maxrun 20.000
 action 0.0 cli command "enable"
 action 1.0 cli command "configure terminal"
 action 2.0 cli command "control-plane host"
 action 3.0 cli command "service-policy input ICMP"
 action 4.0 syslog msg "Just Applied Control Plane Policy to Limit ICMP"

To verify what the current load is on the interface, we can use the command below.

R2#show int ser 0/0 | inc rxload
     reliability 255/255, txload 1/255, rxload 1/255

Once the control plane policy has been applied, the actual details of how many packets have been permitted and denied by that policy will be shown by the command below.

R2#show policy-map control-plane host
R2#

From the commands above, you’ll notice that the current load is at one, and there is no policy currently applied to the control plane. Let’s go to the neighboring router and generate some traffic to trigger event manager and the applet that we just created.

Neighbor-R3#ping 150.1.2.2 size 500 repeat 1000 timeout 0

Type escape sequence to abort.
Sending 1000, 500-byte ICMP Echos to 150.1.2.2, timeout is 0 seconds:
......................................................................
......................................................................
......................................................................
.......................................................!.!............
......................................................................
.............................................!........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................
Success rate is 0 percent (3/1000), round-trip min/avg/max = 4/6/8 ms
Neighbor-R3#

Cool, we got 3 back, even with a timeout of 0 seconds.  Now lets go back to R2, and look at some results.

R2#show int ser 0/0 | inc rxload
     reliability 255/255, txload 58/255, rxload 58/255
R2#
! Note: It may take a few moments for the policy as polling occurs every 60 seconds ! ! Patience is a virtue, and I want mine NOW ;-)  !

%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : CTL : cli_open called.
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN  : R2#enable
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN  : R2#configure terminal
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line.  End with CNTL/Z.
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config)#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN  : R2(config)#control-plane host
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config-cp-host)#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN  : R2(config-cp-host)#service-policy input ICMP
%CP-5-FEATURE: Control-plane Policing feature enabled on Control plane host path

%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config-cp-host)#
%HA_EM-6-LOG: LOAD: Just Applied Control Plane Policy to Limit ICMP
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : CTL : cli_close called.
R2#
%SYS-5-CONFIG_I: Configured from console by vty0
R2#

Back to the neighbor router, R3 to see how the policing of ICMP looks from the outside.

Neighbor-R3#ping 150.1.2.2 size 500 repeat 20         

Type escape sequence to abort.
Sending 20, 500-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
!!.!!.!!.!!.!!.!!.!.
Success rate is 65 percent (13/20), round-trip min/avg/max = 4/12/24 ms
Neighbor-R3#

Back to R2 to view the output of the service policy.

R2#show policy-map control-plane host
 Control Plane Host 

  Service-policy input: ICMP

    Class-map: ICMP (match-all)
      20 packets, 10080 bytes
      5 minute offered rate 1000 bps, drop rate 0 bps
      Match: access-group name ICMP
      police:
          cir 8000 bps, bc 1000 bytes
        conformed 13 packets, 6552 bytes; actions:
          transmit
        exceeded 7 packets, 3528 bytes; actions:
          drop
        conformed 0 bps, exceed 0 bps

    Class-map: class-default (match-any)
      3 packets, 268 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any
R2#

Based on results, the service policy is now applied to the control-plane host sub-interface, and is limiting ICMP.  This example of EEM is like a single ice-cube, compared to a titanic sized iceberg of possibilities.   My intention is to introduce the topic, and encourage you to study it further.

I configured this demonstration using IOS Version 12.4(15)T10

Enjoy your studies, and have fun exploring the world of EEM.


You can leave a response, or trackback from your own site.

11 Responses to “Embedded Event Manager: Not just for breakfast …”

 
  1. Ronnie_Hitman says:

    Excellent work from…

    EEM has moved up in my Roadmap….

    Thanks

    Ronnie

  2. Amplebrain says:

    Awesome post. EEM is a very handy tool for “automation” on cisco routers.

  3. IK says:

    awesome post!

    two things to note:

    0. it will not work with NBAR

    class-map ICMP
    match prot icmp

    *Dec 18 17:05:27.323: %HA_EM-6-LOG: DETECT : DEBUG(cli_lib) : : OUT : Unsupported protocol in ‘match protocol’

    1. it doesn’t require enable password/secret, even it is set:

    r2(config)#enable sec cisco

    *Dec 18 17:05:26.471: %HA_EM-6-LOG: DETECT : DEBUG(cli_lib) : : IN : r2>enable
    *Dec 18 17:05:26.635: %HA_EM-6-LOG: DETECT : DEBUG(cli_lib) : : OUT : r2#

  4. IK- Great comments about the NBAR and enable secret. Thanks for passing that along.

  5. IK says:

    Youre are welcome!

    one thing that I forgot – the service-policy will remain forever untill one manually delete it. Is there any way to remove it automatically or we should consider writing another applet that will measure interface load?

  6. Christian Biasibetti says:

    Very nice … Thanks !!!

    • Anderson says:

      Good idea Rick. Glad to hear from you. Honestly I haven’t even looked at the CCNA Security stuff yet but Im detinifely not opposed to writing about it. I’ll have to take a look.

  7. Ruhann says:

    Great article.
    Can think of a couple ways to use eem.

  8. Nate says:

    A little late to this party, but one thing I noticed while running through this. In the applet, you need to spell the interface exactly as it appears when you do a show interface “…”. I had a policy monitoring fastethernet0/0 and it wouldn’t run, it needed to be FastEthernet0/0, capitalization counts!

  9. [...] had also improved his skills in MPLS, Multi-Protocol BGP, IOS IPS, EEM, and many other areas by using the sweet blog articles at INE.  (Shameless Plug [...]

 

Leave a Reply

Categories

CCIE Bloggers