EEM: SoOの付け替え
前回の続き(EIGRP SoOのURL貼る)
前提
iosv-6(config)#int gi0/1
iosv-6(config-if)#shut
iosv-6(config-if)#
*Sep 12 10:32:22.138: %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 68.1.1.8 (GigabitEthernet0/1) is down: interface down
iosv-6(config-if)#
*Sep 12 10:32:24.106: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down
*Sep 12 10:32:25.107: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down
iosv-6(config-if)#do sh ip ro | b Gate
Gateway of last resort is not set
6.0.0.0/32 is subnetted, 1 subnets
C 6.6.6.6 is directly connected, Loopback0
16.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 16.1.1.0/24 is directly connected, GigabitEthernet0/0
L 16.1.1.6/32 is directly connected, GigabitEthernet0/0
66.0.0.0/32 is subnetted, 1 subnets
C 66.66.66.66 is directly connected, Loopback1現在16.1.1.0/24と58.1.10/24に同じ16:16のSoOが付いているため、各CEルータがMPLS越の経路を学習していない。
したがってCE同士で接続している箇所がリンクダウンすると、対向の経路がわからなくなる。
そこで、EEMを設定してリンクダウンをトリガーにSoOを張り替えることを試みる。
設定1
iosv-5(config)#ip sla 1
iosv-5(config-ip-sla)#icmp-echo 68.1.1.8 source-int gi0/0
iosv-5(config-ip-sla-echo)#threshold 500
iosv-5(config-ip-sla-echo)#timeout 500
iosv-5(config-ip-sla-echo)#frequency 5
iosv-5(config-ip-sla-echo)#vrf bbb
iosv-5(config-ip-sla-echo)#exit
iosv-5(config)#ip sla schedule 1 life forever start now
iosv-5(config)#track 10 ip sla 1
iosv-5(config-track)#exit
iosv-5(config)#event manager applet EEM
iosv-5(config-applet)#event track 10 state down
iosv-5(config-applet)#action 1.1 cli command "conf t"
iosv-5(config-applet)#action 1.2 cli command "route-map SOO_2 permit 10"
iosv-5(config-applet)#action 1.3 cli command "no set extcommunity soo 16:16"
iosv-5(config-applet)#action 1.4 cli command "set extcommunity soo 58:58"
iosv-5(config-applet)#exit
iosv-5(config)#event manager applet EEM_UP
iosv-5(config-applet)#event track 10 state up
iosv-5(config-applet)#action 1.1 cli command "conf t"
iosv-5(config-applet)#action 1.2 cli command "route-map SOO_2 permit 10"
iosv-5(config-applet)#action 1.3 cli command "no set extcommunity soo 58:58"
iosv-5(config-applet)#action 1.4 cli command "set extcommunity soo 16:16"
iosv-5(config-applet)#end★失敗(超重要)
iosv-8(config)#int gi0/1
iosv-8(config-if)#shut
iosv-5#dtebug event manager action cli
Debug EEM action cli debugging is on
iosv-5#
iosv-5#
iosv-5#
iosv-5#
*Sep 11 09:03:50.542: %TRACK-6-STATE: 10 ip sla 1 reachability Up -> Down
*Sep 11 09:03:50.576: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : CTL : cli_open called.
*Sep 11 09:03:50.580: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : **************************************************************************
*Sep 11 09:03:50.580: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : * IOSv is strictly limited to use for evaluation, demonstration and IOS *
*Sep 11 09:03:50.580: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : * education. IOSv is provided as-is and is not supported by Cisco's *
*Sep 11 09:03:50.581: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : * Technical Advisory Center. Any use or disclosure, in whole or in part, *
*Sep 11 09:03:50.582: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : * of the IOSv Software or Documentation to any third party for any *
*Sep 11 09:03:50.582: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : * purposes is expressly prohibited except as otherwise authorized by *
*Sep 11 09:03:50.583: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : * Cisco in writing. *
*Sep 11 09:03:50.583: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : **************************************************************************
*Sep 11 09:03:50.583: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : iosv-5>
*Sep 11 09:03:50.584: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : IN : iosv-5>conf t
*Sep 11 09:03:50.601: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : conf t
*Sep 11 09:03:50.602: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : ^
*Sep 11 09:03:50.602: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
*Sep 11 09:03:50.603: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT :
*Sep 11 09:03:50.603: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : iosv-5>
*Sep 11 09:03:50.604: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : IN : iosv-5>route-map SOO_2 permit 10
*Sep 11 09:03:50.715: %H
iosv-5#A_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : route-map SOO_2 permit 10
*Sep 11 09:03:50.715: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : ^
*Sep 11 09:03:50.716: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
*Sep 11 09:03:50.716: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT :
*Sep 11 09:03:50.717: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : iosv-5>
*Sep 11 09:03:50.718: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : IN : iosv-5>no set extcommunity soo 16:16
*Sep 11 09:03:50.829: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : no set extcommunity soo 16:16
*Sep 11 09:03:50.830: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : ^
*Sep 11 09:03:50.830: %HA_EM-6-LOG: EEM : DEBUG(cli_lib
iosv-5#) : : OUT : % Invalid input detected at '^' marker.
*Sep 11 09:03:50.830: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT :
*Sep 11 09:03:50.830: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : iosv-5>
*Sep 11 09:03:50.831: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : IN : iosv-5>set extcommunity soo 58:58
*Sep 11 09:03:50.944: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : set extcommunity soo 58:58
*Sep 11 09:03:50.944: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : ^
*Sep 11 09:03:50.945: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
*Sep 11 09:03:50.946: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT :
*Sep 11 09:03:50.946: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : iosv-5>
*Se
iosv-5#p 11 09:03:50.947: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : CTL : cli_close called.
*Sep 11 09:03:50.962:
*Sep 11 09:03:50.962: tty is now going through its death sequence現在iosv-5にはprivilege level 15を設定しており、ユーザモードをすっ飛ばせるようにしているが、EEMで起動するcliはそれとはまた別物。
そのため、EEMでcliを動かす場合はenableから入れる必要がある。
設定2
iosv-5(config)#event manager applet EEM
iosv-5(config-applet)#action 1.0 cli command "enable"
iosv-5(config-applet)#exit
iosv-5(config)#event manager applet EEM_UP
iosv-5(config-applet)#action 1.0 cli command "enable"確認1: debug event manager action cli
iosv-5#
*Sep 11 09:10:30.566: %TRACK-6-STATE: 10 ip sla 1 reachability Up -> Down
*Sep 11 09:10:30.598: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : CTL : cli_open called.
*Sep 11 09:10:30.604: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : **************************************************************************
*Sep 11 09:10:30.604: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : * IOSv is strictly limited to use for evaluation, demonstration and IOS *
*Sep 11 09:10:30.605: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : * education. IOSv is provided as-is and is not supported by Cisco's *
*Sep 11 09:10:30.606: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : * Technical Advisory Center. Any use or disclosure, in whole or in part, *
*Sep 11 09:10:30.606: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : * of the IOSv Software or Documentation to any third party for any *
*Sep 11 09:10:30.607: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : * purposes is expressly prohibited except as otherwise authorized by *
*Sep 11 09:10:30.608: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : * Cisco in writing. *
*Sep 11 09:10:30.609: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : **************************************************************************
*Sep 11 09:10:30.609: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : iosv-5>
*Sep 11 09:10:30.610: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : IN : iosv-5>enable
*Sep 11 09:10:30.622: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : iosv-5#
*Sep 11 09:10:30.623: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : IN : iosv-5#conf t
*Sep 11 09:10:30.635: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line. End with CNTL/Z.
*Sep 11 09:10:30.636: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : iosv-5(config)#
*Sep 11 09:10:30.637: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : IN : iosv-5(config)#route-map SOO_2 permit 10
*Sep 11 09:10:30.751: %HA_EM-6-LOG: EEM : DEB
iosv-5#UG(cli_lib) : : OUT : iosv-5(config-route-map)#
*Sep 11 09:10:30.751: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : IN : iosv-5(config-route-map)#no set extcommunity soo 16:16
*Sep 11 09:10:30.864: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : iosv-5(config-route-map)#
*Sep 11 09:10:30.865: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : IN : iosv-5(config-route-map)#set extcommunity soo 58:58
*Sep 11 09:10:30.976: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : OUT : iosv-5(config-route-map)#
*Sep 11 09:10:30.977: %HA_EM-6-LOG: EEM : DEBUG(cli_lib) : : CTL : cli_close called.確認2: show ip eigrp vrf topology
iosv-1#sh ip eigrp vrf bbb topo 58.1.1.0/24
EIGRP-IPv4 VR(cisco) Topology Entry for AS(100)/ID(16.1.1.1)
Topology(base) TID(0) VRF(bbb)
EIGRP-IPv4(100): Topology base(0) entry for 58.1.1.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 1310720
Descriptor Blocks:
5.5.5.5, from VPNv4 Sourced, Send flag is 0x0
Composite metric is (1310720/0), route is Internal (VPNv4 Sourced)
Vector metric:
Minimum bandwidth is 1000000 Kbit
Total delay is 10000000 picoseconds
Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 0
Originating router is 58.1.1.5
Extended Community: SoO:58:58確認3: show ip route
iosv-8(config-if)#do sh ip ro | b Gate
Gateway of last resort is not set
6.0.0.0/32 is subnetted, 1 subnets
D 6.6.6.6 [90/131072] via 58.1.1.5, 00:02:42, GigabitEthernet0/0
8.0.0.0/32 is subnetted, 1 subnets
C 8.8.8.8 is directly connected, Loopback0
16.0.0.0/24 is subnetted, 1 subnets
D 16.1.1.0 [90/3072] via 58.1.1.5, 00:02:42, GigabitEthernet0/0
58.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 58.1.1.0/24 is directly connected, GigabitEthernet0/0
L 58.1.1.8/32 is directly connected, GigabitEthernet0/0
66.0.0.0/32 is subnetted, 1 subnets
D 66.66.66.66 [90/131072] via 58.1.1.5, 00:02:42, GigabitEthernet0/0
68.0.0.0/24 is subnetted, 1 subnets
D 68.1.1.0 [90/3328] via 58.1.1.5, 00:02:42, GigabitEthernet0/0
88.0.0.0/32 is subnetted, 1 subnets
C 88.88.88.88 is directly connected, Loopback1確認4: ping
iosv-8(config-if)#do ping 6.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 6.6.6.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 11/13/17 ms使いそうなshow
show event manager history
iosv-5#show event manager history events
No. Job Id Proc Status Time of Event Event Type Name
1 1 Actv success Mon Sep11 08:59:15 2023 track applet: EEM
2 2 Actv success Mon Sep11 09:03:10 2023 track applet: EEM_UP
3 3 Actv success Mon Sep11 09:03:50 2023 track applet: EEM
4 4 Actv success Mon Sep11 09:08:15 2023 track applet: EEM_UP
5 5 Actv success Mon Sep11 09:10:30 2023 track applet: EEM
6 6 Actv success Mon Sep11 09:16:45 2023 track applet: EEM_UP show event manager policy registered
iosv-5#show event manager policy registered
No. Class Type Event Type Trap Time Registered Name
1 applet user track Off Mon Sep 11 08:57:18 2023 EEM
track 10 state down
maxrun 20.000
action 1.0 cli command "enable"
action 1.1 cli command "conf t"
action 1.2 cli command "route-map SOO_2 permit 10"
action 1.3 cli command "no set extcommunity soo 16:16"
action 1.4 cli command "set extcommunity soo 58:58"
2 applet user track Off Mon Sep 11 08:58:34 2023 EEM_UP
track 10 state up
maxrun 20.000
action 1.0 cli command "enable"
action 1.1 cli command "conf t"
action 1.2 cli command "route-map SOO_2 permit 10"
action 1.3 cli command "no set extcommunity soo 58:58"
action 1.4 cli command "set extcommunity soo 16:16"参考
CCIE Enterprise Infrastructure Foundation, 2nd Edition
感想(読む価値なし)
便利で面白いんだけど、これ商用環境で使う価値あるのか?
動作確認めちゃくちゃめんどくさいし、cli commandで指定するコマンドは文字列であれば許容される(cli command "ABC"でも入っちゃう)ので不具合めちゃくちゃ発生しそうだし、切り分けポイントを増やすだけになりそう。
事前検証でぜっっっっったいに不具合起きませんよって保証を付けてからじゃないと導入できなさそう。
↑読んだ。
今回みたいな設定変更で使うよりも、リンクダウン等をトリガーにログやコンフィグを自動で取得する目的のために使われることが多いのか。納得。