ENSGRP

Embedded Event Manager and TCL

Recently ine ran a challenge for EEM INE BLOG

I have yet to here anything from ine so I’m posting my code below.

############################################################################################
# CISCO TCL EEM syslog config autowrite
# Version 0.3
# 1/13/2012
# Justin Guagliata
# Copyright 2012 @ ensgrp.com
#
# Copy the script to Flash and enter the following two commands in config mode
# event manager directory user policy “flash:/”
# event manager policy SYSLOG_CONFIG.tcl
#
############################################################################################

############################################################################################
# Monitor SYSLOG output for the “SYS-5-CONFIG.*” pattern
# run with a low priority and nice
# Set a max execution time of 60 seconds

::cisco::eem::event_register_syslog occurs 1 pattern “SYS-5-CONFIG.*” maxrun 60 queue_priority low nice 1

############################################################################################
# Import the EEM Libraries to use in this TCL scipt

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

############################################################################################
# Set FTP server

set FTP_SERVER “10.0.0.1″

############################################################################################
# System variables

set ROUTER_NAME [info hostname]
set CUR_TIME_DATE [clock format [clock seconds] -format “%Y-%m-%d-%H%M%S”]

############################################################################################
# EEM – Opens a connection to the CLI

if [catch {cli_open} result] {
error $result $errorInfo
} else {
array set cli1 $result
}

############################################################################################
# EEM – Run CLI Commands

if [catch {cli_exec $cli1(fd) "enable"} result] {
error $result $errorInfo
}

############################################################################################
# Get Last user to change config.

if [catch {cli_exec $cli1(fd) "sh configuration id detail | inc Changed by user"} result] {
error $result $errorInfo
} else {
set cmd_output $result

set prompt [format "(.*\n)(%s)(\\(config\[^\n\]*\\))?(#|>)” $ROUTER_NAME]
if [regexp "[set prompt]” $result dummy cmd_output] {
# do nothing, match will be in $cmd_output
} else {
# did not match router prompt so use original output
set cmd_output $result
}

# remove white space from output
set cmd_output [regexp -inline -all -- {\S+} $cmd_output]
# Remove the leading description by stripping the first 17 characters
# this leaves us just the username
set CURRENT_USER [string replace $cmd_output 0 17 ""]
}

############################################################################################
# If CURRENT_USER returns empty we know that the config was last written by this script
# For tacacs enviroments this will be changed to the eem user

if {$CURRENT_USER != “”} {
if [catch {cli_exec $cli1(fd) "config t"} result] {
error $result $errorInfo
}

if [catch {cli_exec $cli1(fd) "file prompt quiet"} result] {
error $result $errorInfo
}

if [catch {cli_exec $cli1(fd) "end"} result] {
error $result $errorInfo
}

if [catch {cli_exec $cli1(fd) "copy running-config tftp://$FTP_SERVER/$ROUTER_NAME.$CUR_TIME_DATE.$CURRENT_USER.working.cfg"} result] {
error $result $errorInfo
}
}
# Close open cli before exit.
if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
error $result $errorInfo
} else {
exit 1
}

############################################################################################
# CISCO TCL EEM autowrite
# Version 0.4
# 1/13/2012
# Justin Guagliata
# Copyright 2012 @ ensgrp.com
#
# Copy the script to Flash and enter the following two commands in config mode
# event manager directory user policy “flash:/”
# event manager policy autowrite.tcl
#
############################################################################################

############################################################################################
# Register EEM for the following patterns “wr.*|wr.* mem.*|copy ru.* st.*”
# This policy is run
# Set a max execution time of 60 seconds

::cisco::eem::event_register_cli pattern “wr.*|wr.* mem.*|copy ru.* st.*” sync yes maxrun 60

############################################################################################
# Import the EEM Libraries to use in this TCL scipt

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

############################################################################################
# Set FTP server

set FTP_SERVER “10.0.0.1″

############################################################################################
# System variables

set ROUTER_NAME [info hostname]
set CUR_TIME_DATE [clock format [clock seconds] -format “%Y-%m-%d-%H%M%S”]

############################################################################################
# EEM – Opens a connection to the CLI

if [catch {cli_open} result] {
error $result $errorInfo
} else {
array set cli1 $result
}

############################################################################################
# EEM – Run CLI Commands

if [catch {cli_exec $cli1(fd) "enable"} result] {
error $result $errorInfo
}

############################################################################################
# Get Last user to change config.

if [catch {cli_exec $cli1(fd) "sh configuration id detail | inc Changed by user"} result] {
error $result $errorInfo
} else {
set cmd_output $result

set prompt [format "(.*\n)(%s)(\\(config\[^\n\]*\\))?(#|>)” $ROUTER_NAME]
if [regexp "[set prompt]” $result dummy cmd_output] {
# do nothing, match will be in $cmd_output
} else {
# did not match router prompt so use original output
set cmd_output $result
}

# remove white space from output
set cmd_output [regexp -inline -all -- {\S+} $cmd_output]
# Remove the leading description by stripping the first 17 characters
# this leaves us just the username
set CURRENT_USER [string replace $cmd_output 0 17 ""]
}

############################################################################################
# If CURRENT_USER returns empty we know that the config was last written by this script
# For tacacs enviroments this will be changed to the eem user

if {$CURRENT_USER != “”} {
if [catch {cli_exec $cli1(fd) "config t"} result] {
error $result $errorInfo
}

if [catch {cli_exec $cli1(fd) "file prompt quiet"} result] {
error $result $errorInfo
}

if [catch {cli_exec $cli1(fd) "end"} result] {
error $result $errorInfo
}
if [catch {cli_exec $cli1(fd) "wr mem"} result] {
error $result $errorInfo
}

if [catch {cli_exec $cli1(fd) "copy startup-config tftp://$FTP_SERVER/$ROUTER_NAME.$CUR_TIME_DATE.$CURRENT_USER.startup.cfg"} result] {
error $result $errorInfo
}
}
############################################################################################
# Close open cli before exit. Exit code 0 means don’t perform the command which was caught by the script (wr mem)
# an exit code of 1 would write the script
if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
error $result $errorInfo
} else {
exit 0
}

LACP system and port priority

LACP is the IEEE (802.3ad) link aggregation standard. On The 3560 supports 8 active links with 8 standby links.

When using LACP, port channels are configured for either active or passive modes. Active will actively attempt to create a lacp link. Passive mode will respond to a LACP attempt from another device but attempt to create a LACP.

Rack1SW2(config-if)#channel-group 10 mode


When using LACP each switch has a system priority for the device and a port priority for each port. By default, these values are both 32768.

System priority is used to determine which switch makes the decision for adding links to the LACP bundle. Since both switches will by default have a system priority of 32768, the switch with the lowest mac address will make the decision.

Rack1SW1(config)#lacp system-priority <1-65535>


Port priority is used to determine what ports will be put in standby mode if the max active links limit is reached.Links with a LOWER priority are preferred. The port number is used as tiebreaker. This means that by default, interface gi0/1 will be prefered over gi0/2.

Rack1SW1(config-if)#lacp port-priority <0-65535>


For the following example I have two switches with 10 links between them. The 10 links are cabled as follows.

SW2——SW4
30——–40
31——–31
32——–32
33——–33
34——–34
35——–35
36——–36
37——–37
38——–38
39——–39
40——–30

We can see that with the default system priorities, SW4 will become the decision maker since it has a lower mac address.

Rack1SW4#sh lacp sys-id
32768, 0019.06b1.c180
Rack1SW2#sh lacp sys-id
32768, 001e.f634.e700

The 8 lowest priority links on SW4 will join the bundle with the others ( up to 8 ) being set to standby.

Rack1SW4#sh lacp internal
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group 10
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi0/30 SA bndl 32768 0xA 0xA 0x1E 0x3D
Gi0/31 SA bndl 32768 0xA 0xA 0x1F 0x3D
Gi0/32 SA bndl 32768 0xA 0xA 0x20 0x3D
Gi0/33 SA bndl 32768 0xA 0xA 0x21 0x3D
Gi0/34 SA bndl 32768 0xA 0xA 0x22 0x3D
Gi0/35 SA bndl 32768 0xA 0xA 0x23 0x3D
Gi0/36 SA bndl 32768 0xA 0xA 0x24 0x3D
Gi0/37 SA bndl 32768 0xA 0xA 0x25 0x3D
Gi0/38 SA hot-sby 32768 0xA 0xA 0x26 0x5
Gi0/39 SA hot-sby 32768 0xA 0xA 0x27 0x5
Gi0/40 SA hot-sby 32768 0xA 0xA 0x28 0x5


If we look at SW2, we can see that gi0/30 is shut down because SW4 is the decision maker due to it’s lower priority and gi0/30 on SW2 is gi0/40 on SW4.


Rack1SW2#sh lacp internal
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group 10
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi0/30 SA hot-sby 32768 0xA 0xA 0x1E 0x5
Gi0/31 SA bndl 32768 0xA 0xA 0x1F 0x3D
Gi0/32 SA bndl 32768 0xA 0xA 0x20 0x3D
Gi0/33 SA bndl 32768 0xA 0xA 0x21 0x3D
Gi0/34 SA bndl 32768 0xA 0xA 0x22 0x3D
Gi0/35 SA bndl 32768 0xA 0xA 0x23 0x3D
Gi0/36 SA bndl 32768 0xA 0xA 0x24 0x3D
Gi0/37 SA bndl 32768 0xA 0xA 0x25 0x3D
Gi0/38 SA hot-sby 32768 0xA 0xA 0x26 0x5
Gi0/39 SA hot-sby 32768 0xA 0xA 0x27 0x5
Gi0/40 SA bndl 32768 0xA 0xA 0x28 0x3D


Finally, if we make SW2 the decision maker by lowering it’s system priority, gi0/30 will become active and gi0/40 will go to standby on SW2.

Rack1SW2#sh lacp internal
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode
Channel group 10
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Gi0/30 SA bndl 32768 0xA 0xA 0x1E 0x3D
Gi0/31 SA bndl 32768 0xA 0xA 0x1F 0x3D
Gi0/32 SA bndl 32768 0xA 0xA 0x20 0x3D
Gi0/33 SA bndl 32768 0xA 0xA 0x21 0x3D
Gi0/34 SA bndl 32768 0xA 0xA 0x22 0x3D
Gi0/35 SA bndl 32768 0xA 0xA 0x23 0x3D
Gi0/36 SA bndl 32768 0xA 0xA 0x24 0x3D
Gi0/37 SA bndl 32768 0xA 0xA 0x25 0x3D
Gi0/38 SA hot-sby 32768 0xA 0xA 0x26 0x5
Gi0/39 SA - 32768 0xA 0xA 0x27 0x5
Gi0/40 SA - 32768 0xA 0xA 0x28 0x5


Note: Changing the lacp system priority dropped the entire bundle. Proceed with caution in production enviroments.

Apple IPAD ANYCONNECT VPN

In order to activate the Anyconnect SSL vpn for an iphone/ipad, you will need to obtain/install two licenses on your ASA.

These licenses are “AnyConnect Mobile license” and “AnyConnect Essentials” or “AnyConnect Premium Clientless SSL VPN Edition”.

The Mobile license and essentials license are licensed per device. The amount of simultaneous users will depend on your device type.

Model – Users
5505 – 25
5510 – 250
5520 – 750
5540 – 2500
5580-x – 10,000

Instructions for installing the license will accompany the license so this won’t be covered here.

You can verify the license is installed by issuing a show ver.
AnyConnect for Mobile : Enabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Enabled


You will need to download the app @ (http://itunes.apple.com/us/app/cisco-anyconnect/id392790924)

One the app is installed, you create an SSL VPN remote access connection. An example is below.

! enable ssl vpn
webvpn
enable outside ! interface name
anyconnect-essentials
svc image disk0:/anyconnect-dart-win-2.5.1025-k9.pkg 1 ! image for windows client
svc image disk0:/anyconnect-linux-2.5.1025-k9.pkg 2 ! image for linux clients
svc enable
tunnel-group-list enable
! acl for split tunnel
access-list SPLIT-ACL standard permit 10.0.0.0 255.0.0.0
! dns pool for vpn
ip local pool VPN-POOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
! acs is configured for authentication
aaa-server TACACS protocol tacacs+
aaa-server TACACS (inside) host 10.100.100.100
! tunnel groups
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN-POOL
authentication-server-group TACACS
default-group-policy VPN
group-policy VPN attributes
dns-server value 10.10.10.10 10.11.11.11
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-ACL
default-domain value yourdomain.com ! default domain to append to queries from vpn host
split-dns value yourdomain.com ! vpn host will only send dns queries across the vpn for these configured domains

Note: Split-dns was required to allow dns to resolve on the IPAD when using split tunnels. This appears to be a bug or limitation of the IPAD annyconnect app.

OSPF NSSA Default Routes

When dealing with stub areas in OSPF, the ABR will suppress type 4 and 5 LSA’s. To maintain connectivity the ABR will advertise a default route as a summary LSA (TYPE-3).

For NSSA, a default route is not propagated by default. You must explicitly  tell the ABR to send the default route into the NSSA area. This default route will be a NSSA external route ( Type-7).

router ospf <process_id>
area <area_id> nssa default-information-originate

The above output will generate NSSA Type-2 external default route (LSA type-7).

The metric type for the default route above can be changed to a Type 1 with the metric-type command.

router ospf <process_id>
area nssa <area_id> default-information-originate metric-type 1

If the area is set to NSSA totally stuby area. An Inter-area default route will be created on the ABR and sent to the NSSA totally stubby area.
router ospf 1 area
nssa <area_id> default-information-originate no-summary

The cost of the default route can be manually set as follows.

router ospf <process_id>
area <area_id> default-cost <cost>

tclsh

I was using a tcl script with the IEWB to test connectivity. The extra data included with the pings made it difficult to check the connectivity. I found the below code that will ping multiple devices and output the results in a clean format with either (OK, FAILED)


tclsh
proc ping { IP } {
set PING [ exec "ping $IP repeat 3" ]
set PING [ regexp -inline -all {[\.!]{3}} $PING ]
if { [ string first "!" $PING ] == -1 } {
puts "[format "%-40s %s" "ping $IP" "\[FAILED\]" ]"
} else {
puts "[format "%-40s %s" "ping $IP" "\[ OK \]" ]"
}
}
foreach address {
155.1.146.1
155.1.146.4
155.1.146.6
155.1.67.6
155.1.67.7
155.1.79.7
155.1.79.9
155.1.9.9
155.1.37.7
155.1.37.3
155.1.13.1
155.1.13.3
155.1.23.3
155.1.23.2
155.1.10.10
155.1.108.10
155.1.108.8
155.1.8.8
155.1.58.8
155.1.58.5
155.1.5.5
155.1.45.5
155.45.1.4
155.1.0.1
155.1.0.2
155.1.0.3
155.1.0.4
155.1.0.5
} { ping $address}

And here are my results.

ping 155.1.146.1 [ OK ]
ping 155.1.146.4 [FAILED]
ping 155.1.146.6 [ OK ]
ping 155.1.67.6 [ OK ]
ping 155.1.67.7 [ OK ]
ping 155.1.79.7 [ OK ]
ping 155.1.79.9 [FAILED]
ping 155.1.9.9 [FAILED]
ping 155.1.37.7 [ OK ]
ping 155.1.37.3 [ OK ]
ping 155.1.13.1 [ OK ]
ping 155.1.13.3 [ OK ]
ping 155.1.23.3 [ OK ]
ping 155.1.23.2 [ OK ]
ping 155.1.10.10 [FAILED]
ping 155.1.108.10 [FAILED]
ping 155.1.108.8 [ OK ]
ping 155.1.8.8 [ OK ]
ping 155.1.58.8 [ OK ]
ping 155.1.58.5 [ OK ]
ping 155.1.5.5 [ OK ]
ping 155.1.45.5 [ OK ]
ping 155.45.1.4 [FAILED]
ping 155.1.0.1 [ OK ]
ping 155.1.0.2 [ OK ]
ping 155.1.0.3 [ OK ]
ping 155.1.0.4 [ OK ]
ping 155.1.0.5 [ OK ]

IP sla history

I ran in to an issue where connectivity would drop randomly for around 1 minute. Sometimes this would happen multiple times a day. Other days would have no issues. To help facilitate troubleshooting of the issue, i created an ip sla session to span the path that tracks the last 25 failures.

ip sla 1
icmp-echo 10.1.1.1 source-ip 10.1.1.2
threshold 500
frequency 10
history filter failures
history buckets-kept 25
history lives-kept 1
ip sla schedule 1 life forever start-time now

CCIE studies

I’ve been working on my CCIE for a few months. I utilize a Cisco 2511 to connect to my lab remotely. I’ve found the following to be useful when going through mockup labs.

Exit a command (ping, traceroute, etc)
press “ctrl+shift+6″ twice consecutively

Remove all routing configuration
(config)# no ip routing
(config)# ip routing

Erase and reload all routers
You must have an active session from the 2511 (use # “show session” to verify )

send *
{enter}
wr erase
no
reload
{enter}

I’ll add more things as i think of them.

Upgrading a NAM-2 module to Version 5.x

You will need to download the NAM application image and maintenance image from cisco.com. In addition to the images you will need a server to load the images from. In this example I use an FTP server with a username/password of cisco/cisco.

The images used for this upgrade are:

• c6svc-nam.5-1-1.bin.gz (Application Image)
• c6svc-nam-maint.2-1-5.bin.gz (Maintenance Image)

The Nam module is a server that connects directly to the backplane of the 6500 chassis. The nam has two disk which it can boot from. The first is the hdd:1 which is the hard drive and where the application image resides. The second is cf:1 which is a compact flash card and where the maintenance image resides.

In order to perform a upgrade on for the application image, the NAM must be running from the maintenance image. In order to update the maintenance image, you must be running from the application image.

To upgrade to version NAM 5.1, you must be running version 2.1.5 for the maintenance image. I tried upgrading to 5.1 with a name using maintenance image 2.1.3 and the upgrade hung when downloading).

To start the upgrade process you need to login to the 6500 with the NAM module. In this example, our NAM module is in slot 3. You can see in the example below that the NAM is running version 3.6(1a). You can also see that the application image is active. IF we were in the maintenance image, there would be a trailing (m) for Sw the version name.

6500-1#sh mod 3 | inc MAC | Ok
Mod MAC addresses Hw Fw Sw Status
3 0016.9daa.aaaa to 0016.9daa.aaaa 4.0 7.2(1) 3.6(1a) Ok


Next, we log in to the NAM. The default username/password for the application image is root/root.

6500-1#session slot 3 proc 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.31 ... Open
Cisco Network Analysis Module
localhost.localdomain login: root
Password: root
Last login: Tue Sep 6 16:45:58 2011 from 127.0.0.71 on pts/1

Once we are logged in, we initiate the upgrade of the maintenance image from our ftp server.

root@localhost.localdomain# upgrade ftp://cisco:cisco@192.168.1.2/c6svc-nam-maint.2-1-5.bin.gz
Downloading the image...
ftp://cisco:cisco@192.168.1.2/c6svc-nam-maint.2-1-5.bin.gz (11971K)
- [########################] 11971K | 28690.93K/s
12259010 bytes transferred in 0.42 sec (28682.89k/sec)
Uncompressing the image...
Verifying the image...
Applying the Maintenance image.
This process may take several minutes...
Performing post install...
Maintenance image upgrade completed successfully.

The image is now upgraded and we exit back to the 6500 interface to boot to the newly updated maintenance image.
root@localhost.localdomain# exit
[Connection to 127.0.0.31 closed by foreign host]


Here we tell the 6500 to reboot to the maintenance image.
6500-1#hw-module module 3 reset cf:1
Device BOOT variable for reset =
Warning: Device list is not verified.
Proceed with reload of module?[confirm]
% reset issued for module 3
6500-1#

The Nam will take a few minutes to reboot. During this time, the module status will show as unknown. The status will show Ok once the Nam is finished loading.

6500-1#sh mod 3 | inc MAC | Ok
Mod MAC addresses Hw Fw Sw Status
3 0016.9daa.aaaa to 0016.9daa.aaaa 4.0 7.2(1) 2.1(5)m Ok

We now need to log back in to the NAM. The default username/password for the NAM maintenance image is root/cisco.

6500-1#session slot 3 proc 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.31 ... Open
Cisco Maintenance image
login: root
Password: cisco
Maintenance image version: 2.1(5)

We now update the application image from our ftp server. Note: we use the –install flag after the file name which wipes out the partition and performs a fresh upgrade. This is a requirement for upgrading to the 5.x image from 3.x and 4.x.

root@localhost.localdomain#upgrade ftp://cisco:cisco@192.168.1.2/c6svc-nam.5-1-1.bin.gz --install
Downloading the image. This may take several minutes...
ftp://cisco:cisco@192.168.1.2/c6svc-nam.5-1-1.bin.gz (109432K)
/tmp/upgrade.gz [########################] 109432K | 42928.79K/s
112058634 bytes transferred in 2.55 sec (42926.75k/sec)
Upgrade file ftp://cisco:cisco@192.168.1.2/c6svc-nam.5-1-1.bin.gz is downloaded.
Upgrading will wipe out the contents on the storage media.
Do you want to proceed installing it [y|N]: y
Proceeding with upgrade. Please do not interrupt.
If the upgrade is interrupted or fails, boot into
Maintenance image again and restart upgrade.
Creating NAM application image file...
Executing pre install actions...
Initializing the hard disk. This process may take several minutes...
Applying the image, this process may take several minutes...
Performing post install, please wait...
Application image upgrade complete. You can boot the image now.


The last step to get the NAM up and running is enabling the web server and creating a user.

root@localhost.localdomain# ip http server enable
No web users are configured.
Please enter a web administrator user name [admin]: user
New password:
Confirm password:
User user added.
Starting httpd
httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName


Cisco IOS EPC

Embedded packet capture (EPC) is a way to capture packets directly on a router. These packet captures can then be sent to a server (FTP,SCP,HTTP,ETC) for packet
analysis in a program such as wireshark. EPC requires IOS version 12.4(20)t or greater.
The below code sets up a capture for interface fa0/0 and exports the capture to an ftp server.

monitor capture buffer BUFFER
monitor capture buffer BUFFER size 512 max-size 256
monitor capture point ip cef FA0_0 fa0/0 both
monitor capture point asso FA0_0 BUFFER
monitor capture point start FA0_0
monitor capture buffer BUFFER export ftp://host/filename.pcap


The capture can be stopped with the following
monitor capture point stop FA0_0

You can determine if the capture is working with the following:
show monitor capture buffer BUFFER parameters
Rack1R1#show monitor capture buffer BUFFER parameters
Capture buffer BUFFER (linear buffer)
Buffer Size : 524288 bytes, Max Element Size : 256 bytes, Packets : 5
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : FA0_0, Status : Active
Configuration:
monitor capture buffer BUFFER size 512 max-size 256 linear
monitor capture point associate FA0_0 BUFFER


More information can be found in the config guide under:

Cisco IOS Network Management Configuration Guide->Troubleshooting, Fault Management, and Logging->Embedded Packet Capture
Embedded Packet Capture