交换机 : Cisco Catalyst 6500 系列交换机

EEM用于需TACACS+授权设备时的注意事项

2012 年 1 月 18 日 - 原创文档
其他版本: PDFpdf | 反馈

目录

硬件平台
软件版本
案例简介
故障诊断步骤
相关命令
相关错误信息
其他相关文档

硬件平台

路由器及多层交换机

软件版本

所有 支持EEM的IOS版本

案例简介

日常维护工作中,故障发生的第一时间收集下来的信息对于排错至关重要,但是我们往往无法做到这一点,因此很多客户会使用EEM来帮助故障发生时刻的信息收集。然而,基于信息安全的考虑, 很多设备上都配置有tacacs+ 授权(authoriztion),对于这样的设备,在配置EEM时,event manager session cli username <username> 就必不可少了。

故障诊断步骤

下面以(R1)Cat65为例来讲述EEM与tacacs+授权的配合使用时的注意事项:

R1的部分配置如下:

aaa new-model
!
!
aaa authentication login RONCHENG group tacacs+ local
aaa authentication enable default group RONCHENG enable none
aaa authorization commands 0 RONCHENG group tacacs+ local
aaa authorization commands 1 RONCHENG group tacacs+ local
aaa authorization commands 15 RONCHENG group tacacs+ local
aaa accounting exec RONCHENG start-stop group tacacs+
aaa accounting commands 0 RONCHENG start-stop group tacacs+
aaa accounting commands 1 RONCHENG start-stop group tacacs+
aaa accounting commands 15 RONCHENG start-stop group tacacs+
!
!
!
aaa session-id common
 
line con 0
 exec-timeout 0 0
 logging synchronous
 
line aux 0
 
line vty 0 4
 authorization commands 0 RONCHENG
 authorization commands 1 RONCHENG
 authorization commands 15 RONCHENG
 accounting commands 0 RONCHENG
 accounting commands 1 RONCHENG
 accounting commands 15 RONCHENG
 logging synchronous
 login authentication RONCHENG
 transport input all
line vty 5 100
 transport input all
!
End

因为维护需求,需要在R1上添加EEM配置

track 52 ip route 1.1.1.1 255.255.255.255 reachability
 
event manager applet test
 event track 52 state down
 action 1.0 cli command "enable"
 action 2.0 cli command "conf t"
 action 3.0 cli command "int loo 100"
 action 4.0 cli command "shut"
 action 5.0 cli command "end"
!
 

EEM需要完成的任务是:一旦track 52中追踪的静态路由不可达了,就将loopback100 shutdown。

以下步骤全在R1上操作,用于测试EEM是否能有效执行

Step 1:

R1#debug event manager  action cli
Debug EEM action cli debugging is on
R1#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#no ip route 1.1.1.1 255.255.255.255 7.7.7.7
《《《---将track52追踪的静态路由去掉,触发EEM作用。
R1(config)#
*Nov 29 07:11:26.191: %TRACKING-5-STATE: 52 ip route 1.1.1.1/32 reachability Up->Down
*Nov 29 07:11:26.191: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : CTL : cli_open called.
*Nov 29 07:11:26.191: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1>
*Nov 29 07:11:26.191: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN  : R1>enable
*Nov 29 07:11:26.403: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : Command authorization failed.
*Nov 29 07:11:26.403: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT :
*Nov 29 07:11:26.403: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1>
*Nov 29 07:11:26.403: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN  : R1>conf t
*Nov 29 07:11:26.415: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT :            ^
*Nov 29 07:11:26.415: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
*Nov 29 07:11:26.415: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT :
*Nov 29 07:11:26.415: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1>
*Nov 29 07:11:26.415: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN  : R1>int loo 100
*Nov 29 07:11:26.427: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT :          ^
*Nov 29 07:11:26.427: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
*Nov 29 07:11:26.427: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT :
*Nov 29 07:11:26.427: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1>
R1(config)#
*Nov 29 07:11:26.427: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN  : R1>shut
*Nov 29 07:11:26.639: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : Command authorization failed.
*Nov 29 07:11:26.639: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT :
*Nov 29 07:11:26.639: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1>
*Nov 29 07:11:26.639: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN  : R1>end
*Nov 29 07:11:26.855: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : Command authorization failed.
*Nov 29 07:11:26.855: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT :
*Nov 29 07:11:26.855: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1>
R1(config)#
*Nov 29 07:11:26.855: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : CTL : cli_close called.

从以上的debug输出可以看出,EEM中需要执行的命令authorization failed了。

Step2:

R1(config)#event manager session cli username "roncheng"
《《--- roncheng为tacacs server上被授权的一个用户名。
R1(config)#ip route 1.1.1.1 255.255.255.255 7.7.7.7
R1(config)#no ip route 1.1.1.1 255.255.255.255 7.7.7.7
《《《--- 再次触发EEM
R1(config)#
*Nov 29 07:12:56.191: %TRACKING-5-STATE: 52 ip route 1.1.1.1/32 reachability Up->Down
*Nov 29 07:12:56.191: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : CTL : cli_open called.
*Nov 29 07:12:56.191: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1>
*Nov 29 07:12:56.191: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN  : R1>enable
*Nov 29 07:12:56.403: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1#
*Nov 29 07:12:56.403: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN  : R1#conf t
*Nov 29 07:12:56.615: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line.  End with CNTL/Z.
*Nov 29 07:12:56.615: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1(config)#
*Nov 29 07:12:56.615: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN  : R1(config)#int loo 100
*Nov 29 07:12:56.627: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1(config-if)#
*Nov 29 07:12:56.627: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN  : R1(config-if)#shut
*Nov 29 07:12:56.639: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1(config-if)#
*Nov 29 07:12:56.639: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN  : R1(config-if)#end
*Nov 29 07:12:56.639: %SYS-5-CONFIG_I: Configured from console by roncheng on vty0 (EEM:test)
R1(config)#
*Nov 29 07:12:56.651: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1#
*Nov 29 07:12:56.651: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : CTL : cli_close called.
R1(config)#
*Nov 29 07:12:58.627: %LINK-5-CHANGED: Interface Loopback100, changed state to administratively down
*Nov 29 07:12:59.627: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback100, changed state to down
R1(config)#end

从以上debug输出可以看到EEM被触发后,已经通过了tacacs+的授权,成功执行。

 

相关命令

event manager session cli username <username>  

相关错误信息

 

其他相关文档

Cat6K 上EEM相关命令说明