本檔案介紹嵌入式事件管理器(EEM)小程式,這些小程式用於效能路由(PfR)透過多個邊界中繼(BR)最佳化流量的網路。 還觀察到一些轉發環路。這些小程式用於在觀察到環路時收集資料並減輕轉發環路的影響。
本文件沒有特定需求。
本檔案中的資訊是根據支援EEM 4.0版的Cisco IOS®軟體。
若要檢查Cisco IOS版本支援的EEM版本,請使用以下命令:
Router#sh event manager version | i Embedded
Embedded Event Manager Version 4.00
Router#
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
PfR控制流量類(TC)時,會在BR上建立動態路由對映/訪問控制清單(ACL)。具有選定出口的BR上的路由對映指向選定出口,而其他BR上的路由對映指向內部介面(下一跳=選定BR)。
動態ACL在不同的BR之間不能正確同步時(例如由於錯誤)會發生問題。
在此圖中,重點是使用DSCP EF匹配目的地為172.16.1.0/24的任何IP資料包的TC。在此案例中,相關ACL專案從所選BR(BR-2)中移除,而不是從BR-1中移除。該TC的資料包在BR-2上命中,其字首條目匹配所有目的地為172.16.1.0/24的IP資料包。為該字首條目選擇的出口是Exit-1,因此BR-2上的相關路由對映/ACL指向BR-1。
現在,該TC的資料包在BR之間循環,直到生存時間(TTL)達到0。
本文檔提供了必要的EEM小程式,用於:
主控制器(MC)/BR組合使用的小程式要容易得多(當一個BR上執行MC時)。 還介紹了具有專用MC的場景。
本節介紹用於此過程的訪問清單以及Applet日誌檔案。
為了檢測轉發環路,小程式依賴ACL來匹配具有低TTL的資料包。
建議對2x連續且相對低的TTL值(20和21)使用ACE匹配,以便為BR之間循環的每個資料包獲取一個(且僅一個)命中。使用的TTL值不應太低,以避免頻繁發生traceroute資料包的命中。
interface gig0/0 (internal interface)
ip access-group LOOP in
!
ip access-list extended LOOP
permit ip 10.116.48.0 0.0.31.255 any ttl range 20 21
permit ip any any
ACL應放在show pfr master border topology 命令輸出中報告的內部介面上。
來源IP範圍(此處為10.116.48.0/20)應與內部網路相符(透過內部介面可連線的字首)。
為了確定哪個遠端站點/TC受環路影響,您可以在介面上新增第二個出站ACL,並為每個遠端站點/TC新增更特定的ACE。
interface gig0/0 (internal interface)
ip access-group LOOP-DETAIL out
!
ip access-list extended LOOP-DETAIL
permit ip 10.116.48.0 0.0.31.255 10.116.132.0 0.0.0.255 ttl range 20 21
permit ip 10.116.48.0 0.0.31.255 10.116.128.0 0.0.0.255 ttl range 20 21
.... (add here one line per remote site)
permit ip any an
目標IP與不同遠端站點中的子網匹配:
10.116.132.0/24 -> site-1
10.116.128.0/24 -> site-2
如果您需要確定受環路影響的精確TC,還可以為每個遠端站點新增幾條線路。
小程式每30秒檢查一次ACL環路中TTL上的ACE匹配項命中數。根據這些檢查的結果,小程式可能會執行以下任務:
小程式維護一個日誌檔案,用於跟蹤命中計數(當計數大於0時)、任何出現臨時循環(當超過THRESHOLD_1但不超過THRESHOLD_2時)或實際循環(當同時超過THRESHOLD_1和THRESHOLD_2時)的次數。
這些是本文檔中描述的最簡單方案。環路檢測和PfR清除在同一裝置上完成,因此無需進入裝置EEM小程式通訊。在MC/BR組合和其他BR上運行單獨的小程式。
此輸出顯示MC/BR組合上使用的applet的重要資訊。以下是此特定輸出的一些重要說明:
event manager environment THRESHOLD_1 1000
event manager environment THRESHOLD_2 500
event manager environment DISK bootflash
!
event manager applet LOOP-MON authorization bypass
event timer watchdog name LOOP time 30
action 100 cli command "enable"
action 110 cli command "show ip access-list LOOP"
action 120 set regexp_substr 0
action 130 regexp "range 20 21 \(([0-9]+) matches\)"
$_cli_result _regexp_result regexp_substr
action 140 cli command "clear ip access-list counters LOOP"
action 150 if $regexp_substr gt 0
action 200 set MATCHES $regexp_substr
action 210 file open LOGS $DISK:script-logs.txt a
action 220 cli command "enable"
action 230 cli command "show clock"
action 240 regexp "[0-9]+:[0-9]+:[0-9]+.[0-9]+ est [A-Za-z]+
[A-Za-z]+ [0-9]+ 201[0-9]" $_cli_result _regexp_result
action 250 set TIME $_regexp_result
action 260 if $MATCHES gt $THRESHOLD_1
action 270 wait 15
action 280 cli command "show ip access-list LOOP"
action 290 set regexp_substr 0
action 300 regexp "range 20 21 \(([0-9]+) matches\)"
$_cli_result _regexp_result regexp_substr
action 310 if $regexp_substr gt $THRESHOLD_2
action 320 cli command "enable"
action 330 cli command "show ip access-list LOOP-DETAIL
| tee /append $DISK:script-output-$_event_pub_sec.txt"
action 340 cli command "show pfr master traffic-class perf det
| tee /append $DISK:script-output-$_event_pub_sec.txt"
action 350 cli command "show route-map dynamic detail
| tee /append $DISK:script-output-$_event_pub_sec.txt"
action 360 cli command "show ip route
| tee /append $DISK:script-output-$_event_pub_sec.txt"
action 370 cli command "clear pfr master *"
action 380 cli command "clear ip access-list counters LOOP-DETAIL"
action 390 file puts LOGS "$TIME - LOOP DETECTED - PfR CLEARED -
matches $MATCHES > $THRESHOLD_1 and $regexp_substr
> $THRESHOLD_2 - see $DISK:script-output-$_event_pub_sec.txt"
action 400 syslog priority emergencies msg "LOOP DETECTED -
PfR CLEARED - see $DISK:script-output-$_event_pub_sec.txt !"
action 410 else
action 420 file puts LOGS "$TIME - TEMPORARY LOOP : matches
$MATCHES > $THRESHOLD_1 and $regexp_substr < or = $THRESHOLD_2"
action 430 cli command "clear ip access-list counters LOOP-DETAIL"
action 440 end
action 450 else
action 460 cli command "en"
action 470 cli command "clear ip access-list counters LOOP-DETAIL"
action 480 file puts LOGS "$TIME - number of matches =
$MATCHES < $THRESHOLD_1"
action 490 end
action 500 else
action 510 cli command "clear ip access-list counters LOOP-DETAIL"
action 520 end
本節介紹用於其他BR的applet。以下是此特定輸出的一些重要說明:
event manager environment THRESHOLD 700
event manager environment DISK flash 0
!
event manager applet LOOP-BR authorization bypass
event timer watchdog name LOOP time 20
action 100 cli command "enable"
action 110 cli command "show ip access-list LOOP"
action 120 set regexp_substr 0
action 130 regexp "range 20 21 \(([0-9]+) matches\)"
$_cli_result _regexp_result regexp_substr
action 140 cli command "clear ip access-list counters LOOP"
action 150 if $regexp_substr gt 0
action 160 set MATCHES $regexp_substr
action 170 file open LOGS $DISK:script-logs.txt a
action 180 cli command "show clock"
action 190 regexp "[0-9]+:[0-9]+:[0-9]+.[0-9]+
est [A-Za-z]+ [A-Za-z]+ [0-9]+ 201[0-9]" $_cli_result _regexp_result
action 200 set TIME $_regexp_result
action 210 if $MATCHES gt $THRESHOLD
action 220 cli command "enable"
action 230 cli command "show route-map dynamic detail | tee /append
$DISK:script-output-$_event_pub_sec.txt"
action 240 cli command "show ip route | tee /append
$DISK:script-output-$_event_pub_sec.txt"
action 250 file puts LOGS "$TIME : matches = $MATCHES >
$THRESHOLD - see $DISK:script-output-$_event_pub_sec.txt"
action 260 syslog priority emergencies msg "LOOP DETECTED -
Outputs captured - see $DISK:script-output-$_event_pub_sec.txt !"
action 270 else
action 280 file puts LOGS "$TIME : matches = $MATCHES < or = $THRESHOLD"
action 290 end
action 300 end
環路檢測和PfR清除/統計資訊收集在必須具備裝置間EEM applet通訊的不同裝置上完成。裝置之間的通訊以不同方式進行。本文檔介紹通過跟蹤對象進行裝置通訊,以檢查IGP中通告的專用環回的可達性。檢測到事件時,將關閉環回,這樣當跟蹤的對象離線時,遠端裝置上的小程式可以啟動。如果需要交換不同的資訊,可以使用不同的環回。
使用了以下小程式和通訊方法:
Applet名稱 | 在哪裡? | 什麼? | 觸發? | 通訊? |
LOOP-BR | BR | 檢查ACL命中數以偵測回圈 |
定期 | 關閉回圈100 |
LOOP-MC | MC | — 收集PfR資訊 — 清除PfR |
磁軌可達性回圈100 | 關閉回圈200 |
COLLECT-BR | BR | 收集資訊 | 磁軌可達性回圈200 | none |
以下圖片說明了這一點:
這是小程式使用的過程:
本節介紹如何建立環回(確保在IGP上通告IP)和跟蹤對象。
建立跟蹤對象時,請記住以下幾點重要事項:
BR-1
interface Loopback100
ip address 10.100.100.1 255.255.255.255
!
track timer ip route 1
track 1 ip route 10.100.100.200 255.255.255.255 reachability
BR-2
interface Loopback100
ip address 10.100.100.2 255.255.255.255
!
track timer ip route 1
track 1 ip route 10.100.100.200 255.255.255.255 reachability
MC
interface Loopback200
ip address 10.100.100.200 255.255.255.255
!
track timer ip route 1
track 1 ip route 10.100.100.1 255.255.255.255 reachability
track 2 ip route 10.100.100.2 255.255.255.255 reachability
track 11 ip route 10.116.100.1 255.255.255.255 reachability
track 12 ip route 10.116.100.2 255.255.255.255 reachability
track 20 list boolean and
object 11
object 12
LOOP-BR
本節介紹如何在BR上建立環回。以下是需要記住的一些重要說明:
event manager environment THRESHOLD_1 100event manager environment
THRESHOLD_2 500event manager environment DISK bootflash
!event manager applet LOOP-BR authorization bypass
event timer watchdog name LOOP time 30 maxrun 27
action 100 cli command "enable"
action 110 cli command "show ip access-list LOOP"
action 120 set regexp_substr 0
action 130 regexp "range 20 21 \(([0-9]+) matches\)"
$_cli_result _regexp_result regexp_substr
action 140 cli command "clear ip access-list counters LOOP"
action 150 if $regexp_substr gt 0
action 200 set MATCHES $regexp_substr
action 210 file open LOGS $DISK:script-detect-logs.txt a
action 220 cli command "enable"
action 230 cli command "show clock"
action 240 regexp "[0-9]+:[0-9]+:[0-9]+.[0-9]+
est [A-Za-z]+ [A-Za-z]+ [0-9]+ 201[0-9]"
$_cli_result _regexp_result
action 250 set TIME $_regexp_result
action 260 if $MATCHES gt $THRESHOLD_1
action 270 wait 15
action 280 cli command "show ip access-list LOOP"
action 290 set regexp_substr 0
action 300 regexp "range 20 21 \(([0-9]+) matches\)"
$_cli_result _regexp_result regexp_substr
action 310 if $regexp_substr gt $THRESHOLD_2
action 320 cli command "enable"
action 330 cli command "conf t"
action 340 cli command "interface loop100"
action 350 cli command "shut"
action 360 file puts LOGS "$TIME - LOOP DETECTED - Message sent to MC -
matches $MATCHES > $THRESHOLD_1 and $regexp_substr > $THRESHOLD_2"
action 370 wait 5
action 375 cli command "enable"
action 380 cli command "conf t"
action 390 cli command "interface loop100"
action 400 cli command "no shut"
action 410 else
action 420 file puts LOGS "$TIME - TEMPORARY LOOP : matches $MATCHES >
$THRESHOLD_1 and $regexp_substr < or = $THRESHOLD_2"
action 430 cli command "clear ip access-list counters LOOP-DETAIL"
action 440 end
action 450 else
action 460 cli command "en"
action 470 cli command "clear ip access-list counters LOOP-DETAIL"
action 480 file puts LOGS "$TIME - number of matches =
$MATCHES < $THRESHOLD_1"
action 490 end
action 500 else
action 510 cli command "clear ip access-list counters LOOP-DETAIL"
action 520 end
LOOP-MC
本節介紹如何在MC上建立環回。以下是需要記住的一些重要說明:
event manage environment DISK bootflash
event manager applet LOOP-MC authorization bypass
event syslog pattern "10.100.100.[0-9]/32 reachability Up->Dow" ratelimit 60
action 100 file open LOGS $DISK:script-logs.txt a
action 110 regexp "10.100.100.[0-9]" "$_syslog_msg" _regexp_result
action 120 set BR $_regexp_result
action 130 wait 2
action 140 track read 20
action 150 if $_track_state eq "up"
action 160 cli command "enable"
action 170 cli command "show clock"
action 180 regexp "[0-9]+:[0-9]+:[0-9]+.[0-9]+
est [A-Za-z]+ [A-Za-z]+ [0-9]+ 201[0-9]"
"$_cli_result" _regexp_result
action 190 set TIME "$_regexp_result"
action 200 cli command "show pfr master traffic-class perf det
| tee /append $DISK:script-output-$_event_pub_sec.txt"
action 210 cli command "conf t"
action 220 cli command "interface loop200"
action 230 cli command "shut"
action 240 wait 10
action 250 cli command "conf t"
action 260 cli command "interface loop200"
action 270 cli command "no shut"
action 280 cli command "end"
action 290 cli command "clear pfr master *"
action 300 file puts LOGS "$TIME - LOOP DETECTED by $BR -
PfR CLEARED - see $DISK:script-output-$_event_pub_sec.txt"
action 310 syslog priority emergencies msg "LOOP DETECTED by $BR -
PfR CLEARED - see $DISK:script-output-$_event_pub_sec.txt !"
action 320 else
action 330 file puts LOGS "$TIME - REACHABILITY LOST with
$BR - REACHABILITY TO ALL BRs NOT OK - NO ACTION"
action 340 end
COLLECT-BR
本節介紹如何收集BR。當BR無法訪問MC上的Loopback200(10.100.100.200)時,小程式將啟動。動作120、130和140中列出了用於收集的命令。
event manager environment DISK bootflash
event manager applet COLLECT-BR authorization bypass
event syslog pattern "10.100.100.200/32 reachability Up->Dow" ratelimit 45
action 100 file open LOGS $DISK:script-collect-logs.txt a
action 110 cli command "enable"
action 120 cli command "sh ip access-list LOOP-DETAIL |
tee /append $DISK:script-output-$_event_pub_sec.txt"
action 130 cli command "show route-map dynamic detail
| tee /append $DISK:script-output-$_event_pub_sec.txt"
action 140 cli command "show ip route | tee /append
$DISK:script-output-$_event_pub_sec.txt"
action 150 cli command "show clock"
action 160 regexp "[0-9]+:[0-9]+:[0-9]+.[0-9]+ CET [A-Za-z]+ [A-Za-z]+
[0-9]+ 201[0-9]" "$_cli_result" _regexp_result
action 170 set TIME "$_regexp_result"
action 180 file puts LOGS "$TIME - OUTPUTs COLLECTED -
see $DISK:script-output-$_event_pub_sec.txt"
SYSLOG-MC
以下是檢測到環路時MC上的系統日誌:
MC#
*Mar 8 08:52:12.529: %TRACKING-5-STATE: 1 ip route 10.100.100.1/32
reachability Up->Down
MC#
*Mar 8 08:52:16.683: %LINEPROTO-5-UPDOWN:
Line protocol on Interface Loopback200, changed state to down
*Mar 8 08:52:16.683: %LINK-5-CHANGED: Interface Loopback200,
changed state to administratively down
MC#
*Mar 8 08:52:19.531: %TRACKING-5-STATE: 1
ip route 10.100.100.1/32 reachability Down->Up
MC#
*Mar 8 08:52:24.727: %SYS-5-CONFIG_I: Configured from console by
on vty0 (EEM:LOOP-MC)
*Mar 8 08:52:24.744: %PFR_MC-1-ALERT: MC is inactive due to PfR
minimum requirements not met;
Less than two external interfaces are operational
MC#
*Mar 8 08:52:24.757: %HA_EM-0-LOG: LOOP-MC:
LOOP DETECTED by 10.100.100.1 - PfR CLEARED
- see unix:script-output-1362732732.txt !
MC#
*Mar 8 08:52:26.723: %LINEPROTO-5-UPDOWN:
Line protocol on Interface Loopback200, changed state to up
MC#
*Mar 8 08:52:26.723: %LINK-3-UPDOWN: Interface Loopback200,
changed state to up
MC#
*Mar 8 08:52:29.840: %PFR_MC-5-MC_STATUS_CHANGE: MC is UP
*Mar 8 08:52:30.549: %TRACKING-5-STATE: 2
ip route 10.100.100.2/32 reachability Up->Down
MC#
*Mar 8 08:52:37.549: %TRACKING-5-STATE: 2
ip route 10.100.100.2/32 reachability Down->Up
MC#