EEM Scripting

EEM Scripting

Welcome to the Embedded Event Manager (EEM) Scripting Community.

EEM is a flexible system designed to customize IOS, XR, and NX-OS. EEM allows you to automate tasks, perform minor enhancements and create workarounds.

With this community you can get help with EEM and scripting. You can download examples and useful scripts submitted by others to use in your environment. We encourage you to develop EEM scripts and share them with others by uploading them here.

Need help converting from applets to Tcl? Try our EEM Applet Converter.

 

 Monitor MAC Address Table for Exhaustion

This Tcl policy was designed for the Catalyst 4000 series (e.g., 4500 and 4900 series) switches to check for ports that exceed a specified threshold of learned MAC addresses.  If the threshold is exceeded for any interface, a syslog is sent for that interface showing the number of learned MACs.

This policy requires one EEM environment variable to be set:

event manager environment learned_mac_threshold THRESHOLD

Where THRESHOLD is the number of MACs that can be learned on a port before the syslog will be sent.

This policy was tested on a Catalyst 4500 running 15.0(2)SG3.

Attachments:

sl_check_macs.tcl.zip (1.3 K)

TCL Script to log all Switch Interface Statistics to a CSV file

Have created a TCL script which can tabulate all the Interface Statisctics seen from the "Show Interface" command in a CSV file
This CSV file is then copied to a TFTP server
This can then be opened up in Excel.
This was created on a 3560 switch.

 Copy the file onto the Flash of the switch and run "tclsh switchstats.tcl" from the command line

 Multiple of such files from different switches can be concatenated and then can be consolidated into one large file.

Attachments:

switchstats.tcl.zip (1.1 K)

Flexible Netflow cache table output formatter

Is your Flexible Netflow cache table too big to display on your screen? This simple script filters out unwanted columns of the cache table to show an abbreviated table that fits on your screen. This script is easily customized so you decide which columns you see.

cv.zip (2.2 K) Download

View Top Talkers in "real time" from CLI

This experimental script is similar to the Unix 'top' command except it provides an updating list of Top Talkers. The script works by taking 7-second snapshots of the netflow cache table and calculates the byte/packet difference between snapshops. This calculation is used to find the Bit/sec and Pkt/sec for each flow. Flows with the highest Bits/sec are output to the screen in a 'Top Talker' table. The script output is a growing list so use 'term len 0' before running the script.

top.zip (14.4 K) Download

Email Top Talker reports from your router

Wouldn't it be nice if network devices could collect & process their own netflow data and email you the results? Well, now they can!

This tcl script tracks the local netflow cache and generates "Top Talker" reports. Reports are run from CLI or configured to run automatically from Kron with the results sent via email. The script works by tracking and periodically storing netflow cache data in local log files. The reporting engine analyzes the log files to provide Top Talker reports from any of the previous five days. This script runs locally and does not open or make network connections with the exception of the built-in IOS smtp_send_email function. Performs best on ISR G2 or similar with latest IOS.

netc.zip (19.0 K) Download

EEM Lightweight AAA Server Sample

Sample applet to deny certain users from running commands, and also store each command users have entered into a file. This applet uses a denylist file to compare against who is running each command.  If the user and command is listed in the denylist file, the user will not be able to run the command.  This applet also creates a cmdhistory file that logs all commands.  This applet currently registers against files in disk2:  Please modify disk location when using.   EEM 4.0 is required to run this applet.

Sample denylist file:

cisco show users

cisco configure terminal

Applet:

event manager applet testcli

 event cli pattern .* sync yes

 action 101 file open in disk2:denylist r

 action 102 file open out disk2:cmdhistory a

 action 103 file read in _jpres

 action 104 set tester "$_cli_username"

 action 105 append tester " $_cli_msg"

 action 106 foreach value "$_jpres" "\n"

 action 107  if $tester eq $value

 action 108   puts "$_cli_username is not authorized to run $_cli_msg"

 action 109   file puts out "REJECT: $_cli_username: $_cli_msg"

 action 110   exit 0

 action 111  end

 action 112 end

 action 113 file puts out "ACCEPT: $_cli_username: $_cli_msg"

 action 114 exit 1

Automatically Set Port Descriptions

In preparing for CiscoLive! in San Diego, I am provisioning our access layer 3560-E switches.  Since things have a tendency to change a lot at an event like CiscoLive! I thought it would be best to make sure our port descriptions are always up-to-date when it comes to reflecting what devices are connected.  To help me do that, I wrote up this small EEM applet policy.  It will update the port's description based on the CDP neighbor learned on that port.  This policy requires EEM 3.2, so you're looking at 12.2(55)SE or higher for the 3560s.  It will also work on 3750s and ISR G2 routers running 15.x code.

 event manager applet update-port-description

 event neighbor-discovery interface regexp GigabitEthernet.* cdp add 

 action 1.0 cli command "enable"

 action 2.0 cli command "config t"

 action 3.0 cli command "interface $_nd_local_intf_name"

 action 4.0 cli command "description $_nd_cdp_entry_name:$_nd_port_id"

The result of this will be a description like the following on switch ports:

description SDCC_IDF_1.11:TenGigabitEthernet0/1

Ping Monitor

pingmon offers an easy way to check if, eg. provider links works  fine. It is very useful if you don't have an external monitoring software or you didn't trust it. pingmon is using standard cli ping. So  it is reporting packet loss, min, average and max rtt. It is running at configurable intervals and sends as many pings as configured with the  repeat counter. Results are written to daily rotated files. To ensure that flash isn't running out of memory the parameter "loghist" will keep  an eye on it. With log level "debugging" pingmon will forward messages  to the corresponding lines.

Attachments:

pingmon.tar.gz (3.4 K)

EASy Dynamic DHCP snooping

Assuming some PCs are legitimately using a fixed IP address (ie:  servers), that a switch is having DHCP Snooping/IPSG active, and that  you do not want to manage the switch at the port level, this script will  disable DHCP Snooping for servers assuming they are not trying to steal  someone else's IP / MAC address.

Attachments:

EASy_Dynamic_DHCP_snooping.tar.gz (988 bytes

Archive Config if Changes

EEM script will trigger each syslog configuration message, and only  when there is a change in the current running configuration, it will  safe that configuration in the path configured under "Configuration  Replace and Rollback" IOS embedded feature configured in the router.

Attachments:

Archive_Config_if_Changes.tar.gz (5.0 K)

Send Show-tech via Email

This applet will email the output of 'show tech' using the command  'sendtech'. An alias may be used to create the command 'sendtech' to  manually trigger this applet. This applet may be also modified so the  output of 'show tech' will be attached to an open TAC.

Attachments:

Send_Show-tech_via_Email.tar.gz (1.9 K)

Log User Name Information

Applet will send only the config deltas when a configuration change  notification alarm is detected using the IOS config diff feature.  In  addition, the output of 'show archive log config all' will be provided  in an email to show the user who made the configuration change. Top of Form

Attachments:

Log_User_Name_Information.tar.gz (2.1 K)

Tweet from IOS

Script Info URL:

http://twitter.com/EASyDMI

 Have you ever wondered how to use twitter API from within IOS? Here's a simple example to get you started ...

Attachments:

Tweet_from_IOS.tar.gz (15.1 K)

Send Email

Script Info URL:

http://www.cisco.com/cdc_content_elements/flash/ios/ios_commercial/send_email/Send_Email.html

 Tcl script serves as a template that can be used when sending an  email notification is needed. A training video has been created for this  script. Use the 'Script Info URL' to watch the video.

Attachments:

Send_Email.tar.gz (2.4 K)

TCP Syn Flow Detection

The Script checks the number of syn only flows in the given netflow  monitor and raises syslog messages if any abnormal syn flows are  detected.  The flow also checks if there is sudden increase in syn only  flows for given time frame and generates syslog message for the same.   The script can also shutdown the concerned port if specified.

Attachments:

TCP_Syn_Flow_Detection.tar.gz (3.8 K)

Tclsh menu-driven ACL editor

This is a tclsh script which allows one to edit access-lists  configured on the local device using a menu interface.  To invoke the  script do the following:    Router#tclsh flash:edit_acl.tcl <ACL  number>    For example, to edit ACL 113:    Router#tclsh  flash:edit_acl.tcl 113

Attachments:

Tclsh_menu-driven_ACL_editor.tar.gz (2.5 K)

Email notify for PAT Changes

I use this to notify me when a PAT address changes at a home router.   We lock down by source route our DMVPN tunnels.  This program emails  the old and the new PAT address.

 Attachments:

Email_notify_for_PAT_Changes.tar.gz (3.1 K)

WAN Load Alarm

Tcl script sends an alarm via syslog and email if the WAN link  specified exceeds a specified load (wan_load_threshold) for more than a  specified duration of time (wan_load_duration). This script takes  samples of the txload/rxload in the output of 'show interface' at  specified intervals (wan_load_interval) to calculate the overall average  of each over the specified duration (wan_load_duration).

Attachments:

WAN_Load_Alarm.tar.gz (3.3 K)

Application Failure Detection

Applet provides examples to monitor application features based on TCP  port availability. Cisco IP SLA and Embedded Object Tracking are used  to trigger these applets.

Attachments:

Application_Failure_Detection.tar.gz (3.0 K)

Server Fail Detection Down

Script Info URL:

http://www.cisco.com/cdc_content_elements/flash/ios/ios_commercial/server_failure_detection_down/Server_Failure_Detection_Down.html

 Applet sends an email notification when the tracked state of  icmp-echo to a particular server goes to a 'down' state. A training  video has been created for this script. Use the 'Script Info URL' to  watch the video.

Attachments:

Server_Fail_Detection_Down.tar.gz (2.2 K)

Watch for NAT pool depletion

This EEM policy runs every 60 seconds, and checks a specified NAT  pool for its usage.  If that usage percentage exceeds a specified  amount, a syslog message is sent.  If the nat_pool_email_template  variable is defined and points to a valid EEM email template, the  threshold violation alert will also be sent via email.

Attachments:

Watch_for_NAT_pool_depletion.tar.gz (2.0 K)