1. Onboard Automation with
Embedded Event Manager
Shaila Sharmin
Senior Engineer, Core & IP Network
Banglalion Communications LTD

2. Index
• Embedded Event Manager (EEM) Overview
• Understanding EEM Event Detectors
• EEM Policies with sample scripts
• EEM Demos

3. Introduction: EEM(Embedded Event manager
)
EEM is a software component of cisco IOS, XR, and NX-OS that allows
you to run a script or a set of commands upon an event and makes life
easier for administrators by tracking and classifying events that take
place on a router and providing notification options for those events. .
There are two independent pieces: Applets and Scripting
-> Applets are a collection of CLI commands
-> Scripts are actions coded up in TCL(interpreter language)

4. EEM Core Event Detectors & Components
EEM detectors can be
1) Syslog
2) CLI events
3) Counter
4) Timers
5) SNMP
6) IP SLA and Netflows events.
7) None : simply "event manager run"
command.
EEM Components:
EEM server
EEM publisher (detector)
EEM subscriber (policy)

5. Determining the Version of EEM
CISCO ACCESS ROUTERS - Current Models
CISCO ACCESS ROUTERS - Old Models

6. Determining the Version of EEM
CISCO SERVICE AGGREGATION/CORE ROUTERS
CISCO CATALYST SWITCHES

7. Creating an EEM applet
There are three steps to creating this EEM applet.
1: Create the applet and give it a name
R6(config)#event manager applet Intf_Management
2: Tell the applet what to look out for
R6(config-applet)#event syslog pattern "%LINK-5-CHANGED: Interface Loopback0, changed state to administratively down“
3: What do you want the router to do when it sees what you have defined in step 2 – simple!
R6(config-applet)#action 1.0 cli command “enable”
R6(config-applet)#action 2.0 cli command “conf t”
R6(config-applet)#action 3.0 cli command "interface loopback 0"
R6(config-applet)#action 4.0 cli command “no shut”
R6(config-applet)#action 5.0 cli command "end"
R6(config-applet)#action 6.0 cli command "who"
R6(config-applet)#action 7.0 mail server "58.97.254.49" to "s.sharmin@banglalionwimax.com" from "s.sharmin@banglalionwimax.com" subject
"ISP1_Interface_loopback 0 SHUTDOWN" body "Current users $_cli_result"
R6(config-applet)#end

8. Sample EEM applet

9. EEM Event Detector – Syslog ED
Functionality
Triggers Event on Matches for Syslog Messages Based on Regular Expression
Example
event syslog pattern "%LINK-5-CHANGED: Interface Loopback0, changed state to
administratively down“
Use Case
Troubleshooting, Automatic Fault Detection and Alert

10. Syslog ED Example
Syslog messages are the messages that show up by default on console. This example shows the
syslog event detector.
Configuration:
SMTP Server is reachable, Loopback0 is up.

11. Syslog ED Example continue..
When the Loopback0interface has been shutdown, the below applet automatically runs to turn on the
interface and send the alert to specific email address including logged in user information.
To display the Embedded Event Manager events that have been triggered
in R1, use the following command:
Sample mail received by network administrator

12. EEM Event Detector – CLI ED
Functionality
Triggers Synchronous or Asynchronous Events When Certain CLI Is Executed. Allow
Custom CLI Creation (EEM 3.0).
Example
event cli pattern "reload" sync no skip yes occurs 1
Use Case
Config Management, Security, Feature Customization

13. CLI ED ED Example
It can take action based on commands that are used on the CLI
Configuration:
Instead of looking for a pattern in syslog, this time we’re waiting for a pattern entered onto the CLI.
break down :
event cli pattern: Defines the event criteria to initialize the EEM applet.
sync: Specifies if the policy should be executed synchronously before the CLI commands executes
skip: Indicates if the CLI commands should be executed
occurs: Indicates the number of occurrences before the EEM applet is triggers.
When we attempt to reload the router, the results are as expected

14. EEM Event Detector – Interface ED
Functionality
Triggers Event When Interface Counters Cross Threshold. 22 Counters Supported,
Including input_error, interface_reset, transmit_rate, etc.
Example
event tag if_1 interface name Fa0/0 parameter input_errors_crc entry-op ge entry-
val 10 entry-type increment poll-interval 60
Use Case
Real Time Alert and Recovery of Interface Error

15. Interface ED Example
Monitor CRC errors on multiple WAN interfaces and notify the operator (via e-mail) when an
interface has more than two errors per minute.
Configuration:
event manager applet multiple_if
event tag if_1 interface name Fa0/0 parameter input_errors_crc entry-op ge entry-val 2 entry-type increment poll-interval 60
event tag if_2 interface name Gi01/0 parameter input_errors_crc entry-op ge entry-val 2 entry-type increment poll-interval 60
trigger
correlate event if_1 or event if_2
action 1.0 syslog msg "CRC failure leased line $_interface_name"
action 2.0 mail server "58.97.254.49" to "s.sharmin@banglalionwimax.com" from "s.sharmin@banglalionwimax.com" subject "CRC problems on
$_info_routername interface $_interface_name" body "CRC failures have exceeded the threshold“
To view the registered policies on router R1, you can use the following command:

16. EEM Event Detector – Timer ED
Functionality
Triggers Events on Watchdog, Count Down, cron and Absolute Timer
Example
event timer cron cron-entry "0 19 * * 0-7"
event timer watchdog time 300
Use Case
System Monitoring via Periodic Action, Periodic Data Collection and Reporting

17. Timer ED Example
This applet is put into Cron, which will be triggered at the exact specific time. It is composed of 5
values separated by a space. Minutes hours day month {day of week (0-6, 0 is Sunday)}
Configuration:

18. EEM Event Detector – SNMP ED
Functionality
Triggers Event Based on SNMP OID Value Crossing Predefined Threshold
Example
event snmp oid " 1.3.6.1.4.1.9.9.109.1.1.1.1.5 " get-type exact entry-op ge entry-val
50 exit-op le exit-val 5 poll-interval 5
Use Case
System Stats Monitoring and Alerting, e.g. CPU and Memory Utilization

19. SNMP ED Example
Following EEM script run the command when the CPU goes above a certain value.
Configuration:
event manager applet highcpu
event snmp oid " 1.3.6.1.4.1.9.9.109.1.1.1.1.5 " get-type exact entry-op ge entry-val 50 exit-op le exit-val 5 poll-interval 5
action 1.0 cli command "enable"
action 2.0 cli command "show proc cpu sorted"
action 3.0 mail server "58.97.254.49" to "s.sharmin@banglalionwimax.com" from "s.sharmin@banglalionwimax.com" subject "High CPU Alert" body
"$_cli_result"
End
This will poll the five second CPU utilization of the route processor every five seconds. If the
utilization is at or above 50%, the event will fire. The event will not fire again until the CPU drops
below 5%, then goes back to 50%.
The definitions of variables are:
highcpu - name of the event manager applet/script
1.3.6.1.4.1.9.9.109.1.1.1.1.5 / cpmCPUTotal5min - Object identifier (OID) for polling the total CPU utilization of the route processor (RP)
entry-val 50 - CPU utilization that triggers the script
poll-interval 0.5 - Frequency (every 0.5 seconds) the script monitors the CPU

20. EEM Event Detector – IPSLA ED
Functionality
Trigger Events When IPSLA Test Results Cross Certain Threshold. Integrated with Auto
IPSLA Group to Monitor Large Number of IPSLA Operation Results
Example
event manager applet watch-jitter
event ipsla operation-id 1 reaction-type jitterAvg
action 001 cli command "enable"
action 002 if $_ipsla_measured_threshold_value > $_ipsla_threshold_rising
action 003 cli command "config t"
action 004 cli command "ip route 10.10.20.0 255.255.255.0 192.168.15.1"
action 005 cli command "end“
Use Case
Link Failure Detection, Diagnostics and Recovery
The definitions of variables are:
operation-id - Specifies the IP SLAs operation ID.
operation-id-value - Number in the range from 1 to 2147483647.
reaction-type - Specifies the reaction to be taken for the specified IP SLAs operation.
jitterAvg Jitter Average in both the directions

21. EEM TCL-Based Policy Example
EEM scripts are written using TCL. TCL
(Tool Control Language) is a scripting
language used by Cisco for testing and
automating of various functions in the
IOS. In this example, small TCL script
configured to check reachability of few
IP from the Core router.

22. EEM Demos

23. The Problem : An Enterprise network connected with two ISP. While load sharing
traffic with both ISP , if one link to ISP fails then traffic should shift to another ISP.
But NAT translations are not clearing after the primary link fails. When the primary
link recovers , traffic still going over the back-up link.
The Solution : Using IP SLA and EEM applet to failover the traffic using NAT.
1. Dual ISP: NAT Problem

24. Topology

25. EEM Action
event manager applet link-ISP-1-Down
event syslog pattern "1 ip sla 1 reachability Up->Down"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "no ip nat inside source list 101 interface GigabitEthernet1/0 overload"
action 1.3 cli command "no ip nat inside source list 102 interface GigabitEthernet2/0 overload"
action 1.4 cli command "ip nat inside source list 100 interface GigabitEthernet2/0 overload"
event manager applet link-ISP-1-UP
event syslog pattern "1 ip sla 1 reachability Down->Up"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "no ip nat inside source list 100 interface GigabitEthernet2/0 overload"
action 1.3 cli command "ip nat inside source list 102 interface GigabitEthernet2/0 overload"
action 1.4 cli command "ip nat inside source list 101 interface GigabitEthernet1/0 overload"
event manager applet link-ISP-2-Down
event syslog pattern "2 ip sla 2 reachability Up->Down"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "no ip nat inside source list 101 interface GigabitEthernet1/0 overload"
action 1.3 cli command "no ip nat inside source list 102 interface GigabitEthernet2/0 overload"
action 1.4 cli command "ip nat inside source list 100 interface GigabitEthernet1/0 overload"
event manager applet link-ISP-2-UP
event syslog pattern "2 ip sla 2 reachability Down->Up"
action 1.0 cli command "enable"
action 1.1 cli command "configure terminal"
action 1.2 cli command "no ip nat inside source list 100 interface GigabitEthernet1/0 overload"
action 1.3 cli command "ip nat inside source list 102 interface GigabitEthernet2/0 overload"
action 1.4 cli command "ip nat inside source list 101 interface GigabitEthernet1/0 overload"
!

26. Resources
• Support forums for this technology are GREAT
• “Living” documentat https://supportforums.cisco.com/docs/DOC-12757 Contains helpful tips
and tricks to get the most out of EEM .
• For reading material and further resources for this session,visit www.pearson-
books.com/CLMilan2014.
• https://networklessons.com/network-management/cisco-ios-embedded-event-manager/.
• http://www.techtutsonline.com/cisco-ios-embedded-event-manager/
• http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/configuration/guide/12_2sx/nm_12_2sx_bo
ok/nm_eem_overview.htmlfor basic info
• http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/configuration/guide/12_2sx/nm_12_2sx_bo
ok/nm_eem_policy_cli.htmlfor Policies Using the Cisco IOS CLI
• http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/configuration/guide/12_2sx/nm_12_2sx_bo
ok/nm_eem_policy_tcl.htmlfor Policies Using Tcl

27. Questions?