This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
copy 2011 Cisco andor its affiliates All rights reserved Cisco Connect 1 1 copy 2013 Cisco andor its affiliates All rights reserved
Praktickeacute IOS naacutestroje pro (nejen) každodenniacute uacutekoly
Praha hotel Clarion
10 ndash 11 dubna 2013
T-SDN3 L2
Radek Boch CCIE 7095 Systems Engineer Cisco rbochciscocom
copy 2012 Cisco andor its affiliates All rights reserved Cisco Connect 2
Cisco Open Network Environment ndash ONE
Preserve What is Working
bull Resilience Scale Security
bull Functionality and Rich Features
bull Instrumentation
Evolve for New Requirements
bull Operational Simplicity and Automations
bull Programmability and Network-Awareness
bull Upcoming Innovations
Open and Integrated Framework
bull Software Defined Network concepts are a component of the Open Network Environment
bull Existing APIs Agents Controllers and Infrastructure contribute
Open Network Environment
Open Network Environment
Network
Programming
onePK
developerciscocom
CDN Training
Certification Partners
EEM EASy
(Software)
Architectures and
Patterns
Controllers
(ONEOpenflow PoC)
(SBC WLC +++)
CIN CloudConnect
Sentinels Agents
Deployment and
Virtualization
Nexus 1000v
CSR 1000v
VSG and vFWASA
vWAAS vNAM hellip
Cisco Openstack Ed
Blade Hosting
(UCS-E hellip) Virtual
Containers (AirVision
Cat ISR ASR hellip)
Scenarios and Motivations
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Flexible NetFlow
Auto IP SLAmdashdelay jitter packet loss
IP OAMmdashPing Trace Config CLI IP OAMmdashPing Trace BFD ISG per session
8023ahmdashLink monitoring and remote fault indication
8021 agmdashContinuity check L2 ping trace AIS
MPLS OAMmdashLSP ping LSP trace VCCV
EEMmdashEmbedded Event Manager
EVENT-MIBmdashOID-based triggers events or SNMP Set IETF DISMON
Device Manageability Instrumentation Has Evolved Significantly
Device Manageability Instrumentation
4
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Embedded Event
Manager
Syslog email
notification
SNMP set
Counter
CLI
Applets
SNMP
get
SNMP
notification
Application
specific
TCL
Policies
Reload or
switch-over
EEM Applets
multi-event-correlation
IOSsh
Policies
Actions
Event Detectors
Syslog
Event
Process
Scheduler
Database
Interface
Descriptor
Blocks
Syslog
ED
Watchdog
ED
Interface
Counter
ED
CLI
ED
OIR
ED
ERM
ED
EOT
ED
RF
ED
none
ED
GOLD
ED
XML
RPC
ED
SNMP
EDs
Remote
bull Notification
Local
bull Notification
bull GetSet
NetFlow
ED
IPSLA
ED
Route
ED
Timer
EDs
bull Cron
bull Count
down
HW
EDs
bull Fan
bull Temp
bull Env
bull
CDP
LLDP
ED
8021x
ED
MAC
ED
Embedded Event Manager (EEM)
5
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Cisco IOS Embedded Automation Systems often include multiple configuration items files checks and procedures
Solution Cisco EASy provides a simple packaging mechanism and open-source EASy Installer A developer guide is available online to assist with the creation of EASy packages
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
Device Manageability Instrumentation Has Evolved Significantly
Device Manageability Instrumentation
4
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Embedded Event
Manager
Syslog email
notification
SNMP set
Counter
CLI
Applets
SNMP
get
SNMP
notification
Application
specific
TCL
Policies
Reload or
switch-over
EEM Applets
multi-event-correlation
IOSsh
Policies
Actions
Event Detectors
Syslog
Event
Process
Scheduler
Database
Interface
Descriptor
Blocks
Syslog
ED
Watchdog
ED
Interface
Counter
ED
CLI
ED
OIR
ED
ERM
ED
EOT
ED
RF
ED
none
ED
GOLD
ED
XML
RPC
ED
SNMP
EDs
Remote
bull Notification
Local
bull Notification
bull GetSet
NetFlow
ED
IPSLA
ED
Route
ED
Timer
EDs
bull Cron
bull Count
down
HW
EDs
bull Fan
bull Temp
bull Env
bull
CDP
LLDP
ED
8021x
ED
MAC
ED
Embedded Event Manager (EEM)
5
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Cisco IOS Embedded Automation Systems often include multiple configuration items files checks and procedures
Solution Cisco EASy provides a simple packaging mechanism and open-source EASy Installer A developer guide is available online to assist with the creation of EASy packages
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
Device Manageability Instrumentation Has Evolved Significantly
Device Manageability Instrumentation
4
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Embedded Event
Manager
Syslog email
notification
SNMP set
Counter
CLI
Applets
SNMP
get
SNMP
notification
Application
specific
TCL
Policies
Reload or
switch-over
EEM Applets
multi-event-correlation
IOSsh
Policies
Actions
Event Detectors
Syslog
Event
Process
Scheduler
Database
Interface
Descriptor
Blocks
Syslog
ED
Watchdog
ED
Interface
Counter
ED
CLI
ED
OIR
ED
ERM
ED
EOT
ED
RF
ED
none
ED
GOLD
ED
XML
RPC
ED
SNMP
EDs
Remote
bull Notification
Local
bull Notification
bull GetSet
NetFlow
ED
IPSLA
ED
Route
ED
Timer
EDs
bull Cron
bull Count
down
HW
EDs
bull Fan
bull Temp
bull Env
bull
CDP
LLDP
ED
8021x
ED
MAC
ED
Embedded Event Manager (EEM)
5
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Cisco IOS Embedded Automation Systems often include multiple configuration items files checks and procedures
Solution Cisco EASy provides a simple packaging mechanism and open-source EASy Installer A developer guide is available online to assist with the creation of EASy packages
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Embedded Event
Manager
Syslog email
notification
SNMP set
Counter
CLI
Applets
SNMP
get
SNMP
notification
Application
specific
TCL
Policies
Reload or
switch-over
EEM Applets
multi-event-correlation
IOSsh
Policies
Actions
Event Detectors
Syslog
Event
Process
Scheduler
Database
Interface
Descriptor
Blocks
Syslog
ED
Watchdog
ED
Interface
Counter
ED
CLI
ED
OIR
ED
ERM
ED
EOT
ED
RF
ED
none
ED
GOLD
ED
XML
RPC
ED
SNMP
EDs
Remote
bull Notification
Local
bull Notification
bull GetSet
NetFlow
ED
IPSLA
ED
Route
ED
Timer
EDs
bull Cron
bull Count
down
HW
EDs
bull Fan
bull Temp
bull Env
bull
CDP
LLDP
ED
8021x
ED
MAC
ED
Embedded Event Manager (EEM)
5
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Cisco IOS Embedded Automation Systems often include multiple configuration items files checks and procedures
Solution Cisco EASy provides a simple packaging mechanism and open-source EASy Installer A developer guide is available online to assist with the creation of EASy packages
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Cisco IOS Embedded Automation Systems often include multiple configuration items files checks and procedures
Solution Cisco EASy provides a simple packaging mechanism and open-source EASy Installer A developer guide is available online to assist with the creation of EASy packages
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
If the OID doesnrsquot exist ndash Custom MIB
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem Sometimes there is a show command ndash but no MIB support What if we still want to collect the Information via SNMP
See Available as an EASy Package
httpwwwciscocomgoeasy Scripts for ASR available fom CiscoBeyond
Solution Automate Custom MIB Polling via EEM and Expression-MIB or RFC2982-MIB depending on Cisco IOS Version
Is
Expression-MIB
Supported
No MIB Coverage for CLI
(see wwwciscocomgomibs) Option 4 Use EEM 31
Running
124(20)T
or later
Is
RFC2982-MIB
Supported
Option 1 Use EEM Tcl Policy based on
CLI Interface for Expression-MIB
Option 2 Use EEM Tcl Policy based on
SNMP Interface of RFC2982-MIB
Option 3 Use EEM Tcl Policy based on
SNMP Interface of Expression-MIB
Yes
No
No
Yes
No
Yes
Custom MIB Polling
22
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verifying the Monitoring Config ndash EASy
NMS Tester Package
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Is Monitoring Actually Working
Problem Monitoring relies on a number of protocols to be configured and functional end-to-end not just on the local node
Solution Use the EASy NMS Tester Package ndash which generates test messages for each configured monitoring protocol
3) Verify Test Messages
2) NMS Tester Package will generate Test Messages
Smart Call Home Gateway and ciscocom
Syslog Server SNMP NMS Mail Server
1) Install and Configure EASy NMS Tester Package
25
See Available as an EASy Package
httpwwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Monitoring Remote Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Receive Remote Information
Problem Sometimes we want to receive remote information on a Router Switch and be able to react to it locally ndash for example a notification from a UPS System
Solution Use Network Automation based on Cisco IOS Embedded Event Manager leveraging the EEM SNMP Notification Event Detector
Router Switch can received SNMP Notifications
Execute (trigger) EEM Policy to take local action
Policy can query varbind info
Supports Incoming or Outgoing Notifications
Outgoing only for locally generated Notifications
Router(config event manager applet catch-a-trap
router(config-applet) description test snmp notification unmanaged service
router(config-applet) event snmp-notification oid 13616311410
oid-val 1361631153 op eq src-ip-address 105189176
direction incoming
router(config-applet) action 010 hellip
router(config-applet) action 020 hellip
Uninterruptible Power Supply
SNMP Trap ndash On Battery 5 Min Remaining
EEM EEM
28
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Format and Share Information
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Problem How to actively gather and share information from a router and from a few devices behind the router ndash across organizational and technical borders
Solution 1 Initiate a project to make use of SNMP Syslog Event Management Software Reporting Provisioning and CRM Systems
Solution 2 Use Cisco IOS Network Automation to collect and post the information
namespace import http
Using Cisco IOS Embedded Event Manager and Tcl
1 Import the http package into EEM policy
2 Collect the information required
set my_query [httpformatQuery status $my_info]
3 Build a query for the http POST operation
set my_reply [httpgeturl $my_server_url -query $my_query]
4 POST the information to a website
Real-World
Example Format and Share Remote Information
31
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Traffic Flows ndash Flexible Netflow and EEM
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Key Fields Packet 1
Source IP 3333
Destination IP 2222
Source Port 23
Destination Port 22078
Layer 3 Protocol TCP - 6
TOS Byte 0
Input Interface Ethernet 0
Source IP
Dest IP
Source Port
Dest Port
Protocol TOS Input IF
hellip Pkts
3333 2222 23 22078 6 0 E0 hellip 1100
Traffic Analysis Cache
Flow Monitor
1
Source IP Dest IP Input IF Flag hellip Pkts
3333 2222 E0 0 hellip 11000
Security Analysis Cache
Non-Key Fields
Packets
Bytes
Timestamps
Next Hop Address
Flow Monitor
2
Key Fields Packet 1
Source IP 3333
Dest IP 2222
Input Interface Ethernet 0
SYN Flag 0
Non-Key Fields
Packets
Timestamps
Flexible NetFlow (FNF) ndash Recap
34
Traffic
bull Top N talkers
bull MAC interface VLAN
bull 80+ Key Fields
bull 14 Non-Key fields
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 12
36
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Multicast
Replication Factor
RPF Check Drop
Is-Multicast
Input VRF Name
BGP Next Hop
IGP Next Hop
src or dest AS
Peer AS
Traffic Index
Forwarding Status
Routing Transport
Destination Port TCP Flag ACK
Source Port TCP Flag CWR
ICMP Code TCP Flag ECE
ICMP Type TCP Flag FIN
IGMP Type TCP Flag PSH
TCP ACK Number TCP Flag RST
TCP Header Length TCP Flag SYN
TCP Sequence Number TCP Flag URG
TCP Window-Size UDP Message Length
TCP Source Port UDP Source Port
TCP Destination Port UDP Destination Port
TCP Urgent Pointer
Application
Application ID
IPv4 Flow only
For Your Reference
Flexible NetFlow (FNF) ndash Key Fields ndash 22
37
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Where do I want my data sent
What data do I want to meter
How do I want to cache Information
On which Interface do I want to monitor
Router(config) flow exporter my-exporter
Router(config-flow-exporter) destination 1111
1 Configure the Exporter
Router(config) flow record my-record
Router(config-flow-record) match ipv4 destination address
Router(config-flow-record) match ipv4 source address
Router(config-flow-record) collect counter bytes
2 Configure the Flow Record
3 Configure the Flow Monitor
4 Apply to an Interface
Router(config) flow monitor my-monitor
Router(config-flow-monitor) exporter my-exporter
Router(config-flow-monitor) record my-record
Router(config) interface s30
Router(config-if) ip flow monitor my-monitor input
For Your Reference
Flexible NetFlow (FNF) ndash Configuration
38
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show flow monitor ltmonitorgt cache aggregate ipv4 source address sort highest counter bytes top 10
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
action 10 syslog msg ldquoLow-TTL flow from $_nf_source_address
Dec 2 173931221 HA_EM-6-LOG my-ttl-applet Low-TTL flow from 1921682248
3 Syslog message andor use show flow monitor ltmy-monitorgt cache command
-Top (unexpected) Talkers with low-TTL traffic - Deviation from Normal - Senders with many low-TTL flows - Take Actions (block suspicious senders)
Real-World
Example Flexible NetFlow and EEM ndash Low TTL
40
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Dynamic SLAs ndash Using IPSLA and EEM
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Problem Define ndash Monitor ndash Alert was yesterday Todayrsquos SLAs often require
preventive mitigating or optimizing actions to happen automatically
Dynamic SLAs and Custom High Availability
Did
IP SLA
Operation
timeout
Tracked object is down
Execute down commands
Send down syslog
Is
down-syslog
set
Yes
No
succeed
done
Tracked object is up
Execute up commands
Send up syslog
Is
up-syslog
set
Yes
No
Upon State Change
Solution I Use configurable point features where available Solution II Use EEM with a generic Event Detector Solution III Use EEM with a specific Event Detector Solution IV Use onePK to program for external dynamic metrics andor algorhytms
42
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
On active cluster switches
If we are in HSRP sbquoActivelsquo state ampamp sender is a secondary ASA going to active
For each ASA-facing interface shut
ciscoeemevent_register_snmp_notification oid 1361419941123150 oid_val 0 op ne
1 ndash ASA active
2 ndash shut ASA intf
2 ndash shut ASA intf
Problem Upon a standby ASA deciding to become active we want to force full cluster failover by shutting down all ASA-facing interfaces on the other clusterrsquos switch
Solution use EEM SNMP Event Detector
Real-World
Example Example Custom Failover Scenarios
48
copy 2013 Cisco andor its affiliates All rights reserved BRKNMS-2465 Cisco Public
Embedded Automation Systems (EASy)
Custom HA EASy Package provides
bull PrimaryBackup Link Failover
bull Based on IP SLA Metric
bull Open Source TutorialFramework
To use the Package
1 Browse and Download EASy Package wwwciscocomgoeasy
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
ACL Syslog Correlation
1 Define Tags for your ACEs
ip access-list extended access-control
permit ip any host 101010100 log red-server
permit ip any host 101010200 log blue-server
permit ip any any
Problem ACL hits can produce a Syslog message ndash but often in the NOC or SOC we want to know which specific line of an ACL (ie ACE ndash Access Control Entry) was kicking-in
2 Tags will be appended to Syslog Messages
Apr 13 163118958 SEC-6-IPACCESSLOGDP list access-control permitted
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance SSH Process
instance SSH Event handlerldquo
policy my-login-policy
Aug 25 125626089 SYS-4-CPURESRISING Resource group my-login-group is seeing local cpu util 16 at process level more than the configured minor limit 10
Aug 25 125641089 SYS-6-CPURESFALLING Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10 current value 0
Monitoring Multiple Processes
Problem In order to detect resource consumption caused by brute force login
attempts we want to keep an eye on CPU utilization by the login processes
Solution Define an ERM policy to notify upon critical suspicious levels
Syslog if Group CPU Usage Count Rises Above 10 at an Interval of 10s
Real-World
Example
66
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Verify Resource Utilization ndash using ERM
EEM and onePK
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Managed Network Use Case ndash Monitor Memory Usage
bull Problem What if we need to dynamically investigate further upon a resource symptom
bull Solution Use the integration of EEM + ERM to trigger an EEM event when processor
memory is greater than 80
resource policy
policy critmem global
system
memory processor
critical rising 80 interval 5
user global critmem
event manager applet totmemcheck
event resource policy critmem
action 100 mail server ldquoltservergtrdquo to ldquolttogtrdquo from ldquoltfromgtrdquo subject ldquoWarning proc
memory spikerdquo
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
A Network ldquoToprdquo
bull Use onePK to build a live process
monitor similar to UNIX top
bull The same app can connect to
multiple devices to display the top
processes across the entire network
Real-World Example
69
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Capturing Packets ndash EPC
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
3 Associate capture point to buffer
Router monitor capture point associate hellip
Problem Sometimes a Packet Capture would be useful for Troubleshooting BUT deploying Packet Sniffers is slow expensive and requires local skills and equipment
See httpwwwciscocomgoepc Available from IOS 124(20)T Platforms 8xx 18xx 28xx 38xx ISRs ISR G2s 72xx
Solution Make use of IOS Embedded Packet Capture to capture PCAP format data andor analyze on the device
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Early Detection ndash GOLD
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
POST (Power-On Self-Test) is great but some errors you prefer to know while the system is up and running and can you afford to power-cycle after OIR just for POST to run
81
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable
6 Upload your own Examples to CiscoBeyond wwwciscocomgociscobeyond
7 Engage via ask-easyciscocom
111
copy 2011 Cisco andor its affiliates All rights reserved 113 Cisco Connect 113 copy 2013 Cisco andor its affiliates All rights reserved
Otaacutezky a odpovědi
Zodpoviacuteme teacutež v ldquoPtali jste serdquo v saacutele LEO v 1745 ndash 1830
e-mail connect-czciscocom
copy 2011 Cisco andor its affiliates All rights reserved 114 Cisco Connect 114 copy 2013 Cisco andor its affiliates All rights reserved
Prosiacuteme ohodnoťte tuto přednaacutešku
copy 2013 Cisco andor its affiliates All rights reserved Cisco Connect 115
Děkujeme za pozornost
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Bootup Diagnostics (upon bootup and OIR)
Periodic Health Monitoring (during operation)
OnDemand (from CLI)
Scheduled Testing (from CLI)
Test Types include
ndash Packet switching tests
ndash Memory Tests
ndash Error Correlation Tests
Complementary to POST
Good Practice schedule all non-disruptive tests
periodically
Available from CatOS 85(1) IOS 122(14)SX Platforms CBS 3xxx Cat 3560 3750 6500 ME6524 72xx 10k CRS
Problem How to detect wear and tear issues before they cause an outage Hardware aging as well as repeated insertion and removal of modules can lead to wear and tear damage on connectors This can cause failures ndash how do you find out during operation without power-cycling the box
Solution Use GOLD to verify functionality of a mis-behaving module
Generic Online Diagnostics (GOLD) ndash 13
82
copy 2013 Cisco andor its affiliates All rights reserved Cisco Public
Router show diagnostic content module 3
Module 3
Diagnostics test suite attributes
MC - Minimal level test Complete level test Not applicable
B - Bypass bootup test Not applicable
P - Per port test Not applicable
DN - Disruptive test Non-disruptive test Not applicable
S - Only applicable to standby unit Not applicable