Dec
17

Using an IPS Sensor, we can dynamically apply rate limiting/policing on a router interface, based on a signature match or an event action over-ride, which is generated on the sensor appliance.   Ok, I know there is no Sensor Appliance in the RS lab, but what if we need to trigger a rate limit of specific traffic, destined to a router, based on current conditions on that router, such as transmit or receive loads on an interface.

This is a job for, da dada dahhh: Embedded Event Manager (EEM).  In this example we will create a service policy which we will apply to the control plane based on a interface threshold being exceeded.  Full labs on Embedded Event Manager can be found in our RS v5 Vol1 workbook in  "System Management".  Let's break down the individual steps, first for the control plane policing policy, and then the EEM to apply it.

We will first create a policy map, which calls on a class map, which calls on an ACL. In this class map, we are going to identify ICMP, by referencing an access list. So first we create the access list, and we will name it ICMP.

ip access-list extended ICMP
permit icmp any any

Now that the access list is created, we will create the class map called ICMP which will be referencing the access list of the same name.

class-map match-all ICMP
match access-group name ICMP
exit

Next we will create the policy map, and for convenience we will name it ICMP (as well). This policy map will reference the class map, and specify  policing at 8000 bits per second with a burst rate of 1000 bytes.

policy-map ICMP
class ICMP
police 8000 1000

Ok, so now for the EEM part of the configuration.  First, we will create our event manager applet. In this applet we will be referencing serial 0/0, and we will be looking for the received load to be greater than 25. The 25 refers to 25 out of a possible 255 as reported by the interface. Once the ~10% is exceeded, the CLI commands implemented in our applet will be executed. The CLI commands will simply apply the service policy to the logical control plane host interface on the router. By doing this, any ICMP traffic destined TO the router, will be policed, regardless of which interface the traffic is received on.   The EEM policy will also generate a syslog message. There are additional options which we could include, such as sending SNMP traps, e-mail messages and so forth.

event manager applet LOAD
event interface name Serial0/0 parameter rxload entry-val 25 entry-op gt entry-val-is-increment false poll-interval 60
action 0.0 cli command "enable"
action 1.0 cli command "configure terminal"
action 2.0 cli command "control-plane host"
action 3.0 cli command "service-policy input ICMP"
action 4.0 syslog msg "Just Applied Control Plane Policy to Limit ICMP"
exit

At the interface level we will specify a bandwidth statement of 64, which will allow us to trigger the 25/255 much quicker. We will also set the load interval to a lower value than the default of five minutes so that the average will increase faster.

interface ser 0/0
bandwidth 64
load-interval 30
end

The following debug, will give us the Howard Cosell play-by-play of exactly what's happening.

R2#debug event manager action cli
Debug EEM action cli debugging is on

To view the details of the interfaces that are registered with an event manager policy, we would use the following show command.

R2#show event manager policy registered event-type interface
No. Class Type Event Type Trap Time Registered Name
1 applet user interface Off Thu Feb 28 18:51:41 2002 LOAD
name {Serial0/0} parameter {rxload} entry_op gt entry_val 25 entry_val_is_increment FALSE poll_interval 60.000
maxrun 20.000
action 0.0 cli command "enable"
action 1.0 cli command "configure terminal"
action 2.0 cli command "control-plane host"
action 3.0 cli command "service-policy input ICMP"
action 4.0 syslog msg "Just Applied Control Plane Policy to Limit ICMP"

To verify what the current load is on the interface, we can use the command below.

R2#show int ser 0/0 | inc rxload
reliability 255/255, txload 1/255, rxload 1/255

Once the control plane policy has been applied, the actual details of how many packets have been permitted and denied by that policy will be shown by the command below.

R2#show policy-map control-plane host
R2#

From the commands above, you'll notice that the current load is at one, and there is no policy currently applied to the control plane. Let's go to the neighboring router and generate some traffic to trigger event manager and the applet that we just created.

Neighbor-R3#ping 150.1.2.2 size 500 repeat 1000 timeout 0

Type escape sequence to abort.
Sending 1000, 500-byte ICMP Echos to 150.1.2.2, timeout is 0 seconds:
......................................................................
......................................................................
......................................................................
.......................................................!.!............
......................................................................
.............................................!........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................
Success rate is 0 percent (3/1000), round-trip min/avg/max = 4/6/8 ms
Neighbor-R3#

Cool, we got 3 back, even with a timeout of 0 seconds.  Now lets go back to R2, and look at some results.

R2#show int ser 0/0 | inc rxload
reliability 255/255, txload 58/255, rxload 58/255
R2#
! Note: It may take a few moments for the policy as polling occurs every 60 seconds ! ! Patience is a virtue, and I want mine NOW ;-) !

%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : CTL : cli_open called.
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2#enable
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2#configure terminal
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line. End with CNTL/Z.
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config)#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2(config)#control-plane host
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config-cp-host)#
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : IN : R2(config-cp-host)#service-policy input ICMP
%CP-5-FEATURE: Control-plane Policing feature enabled on Control plane host path

%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : OUT : R2(config-cp-host)#
%HA_EM-6-LOG: LOAD: Just Applied Control Plane Policy to Limit ICMP
%HA_EM-6-LOG: LOAD : DEBUG(cli_lib) : : CTL : cli_close called.
R2#
%SYS-5-CONFIG_I: Configured from console by vty0
R2#

Back to the neighbor router, R3 to see how the policing of ICMP looks from the outside.

Neighbor-R3#ping 150.1.2.2 size 500 repeat 20         

Type escape sequence to abort.
Sending 20, 500-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
!!.!!.!!.!!.!!.!!.!.
Success rate is 65 percent (13/20), round-trip min/avg/max = 4/12/24 ms
Neighbor-R3#

Back to R2 to view the output of the service policy.

R2#show policy-map control-plane host
Control Plane Host

Service-policy input: ICMP

Class-map: ICMP (match-all)
20 packets, 10080 bytes
5 minute offered rate 1000 bps, drop rate 0 bps
Match: access-group name ICMP
police:
cir 8000 bps, bc 1000 bytes
conformed 13 packets, 6552 bytes; actions:
transmit
exceeded 7 packets, 3528 bytes; actions:
drop
conformed 0 bps, exceed 0 bps

Class-map: class-default (match-any)
3 packets, 268 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R2#

Based on results, the service policy is now applied to the control-plane host sub-interface, and is limiting ICMP.  This example of EEM is like a single ice-cube, compared to a titanic sized iceberg of possibilities.   My intention is to introduce the topic, and encourage you to study it further.

I configured this demonstration using IOS Version 12.4(15)T10

Enjoy your studies, and have fun exploring the world of EEM.

INE Instructor
About INE Instructor

Subscribe to INE Blog Updates

New Blog Posts!