C892-02(config)#event manager ?
applet Register an Event Manager applet
detector Set Embedded Event Manager detector information
directory Set Embedded Event Manager directory information
environment Set an Embedded Event Manager global environment variable
history Set Embedded Event Manager history information
policy Register an Embedded Event Manager policy
scheduler Set Event Manager scheduler options
session Set Embedded Event Manager session attributes
C892-02(config-applet)#action 1.0 ?
add Add
append Append to a variable
break Break out of a conditional loop
cli Execute a CLI command
cns-event Send a CNS event
comment add comment
context Save or retrieve context information
continue Continue to next loop iteration
counter Modify a counter value
decrement Decrement a variable
divide Divide
else else conditional
elseif elseif conditional
end end conditional block
exit Exit from applet run
file file operations
force-switchover Force a software switchover
foreach foreach loop
gets get line of input from active tty
handle-error On error action
help Read/Set parser help buffer
if if conditional
increment Increment a variable
info Obtain system specific information
mail Send an e-mail
multiply Multiply
policy Run a pre-registered policy
publish-event Publish an application specific event
puts print data to active tty
regexp regular expression match
reload Reload system
set Set a variable
snmp-object-value Specify value for the SNMP get request
snmp-trap Send an SNMP trap
string string commands
subtract Subtract
syslog Log a syslog message
track Read/Set a tracking object
wait Wait for a specified amount of time
while while loop
インタフェースがシャットダウンされると「Interface , changed state to administratively down」というログが出力されます。このシステムログのメッセージをイベントとして検出してそれをトリガーとして、CLI コマンドで “no shutdown” を発行するアクションを定義します。
まず、VLAN113をシャットダウンした時のシスログメッセージを確認します。
C892-02(config)#int vlan 113
C892-02(config-if)#shutdown
C892-02(config-if)#
017611: Mar 3 18:51:50.925: %LINK-5-CHANGED: Interface Vlan113, changed state to administratively down
デバッグコマンド投入後、1の例の EEM を実行すると、以下のようなログが出力されます。VLAN113 がシャットされたことを検知して、”no shut” コマンドが発行されて、再び VLAN113 が Up になってますね。
C892-02(config)#int vlan 113
C892-02(config-if)#shut
C892-02(config-if)#
017631: Mar 3 18:58:36.864: %FW-6-DROP_PKT: Dropping tcp session 116.223.132.218:443 172.16.23.4:49699 due to RST inside current window with ip ident 64807 tcpflags 0x8014 seq.no 3652153217 ack 1529682709
017632: Mar 3 18:58:38.468: %LINK-5-CHANGED: Interface Vlan113, changed state to administratively down
017633: Mar 3 18:58:38.472: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : CTL : cli_open called.
017634: Mar 3 18:58:38.480: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : OUT : CCC
017635: Mar 3 18:58:38.480: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : OUT : Cisco 982 (Serial Number: FGL151727WV)
017636: Mar 3 18:58:38.480: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : OUT : This is Cisco 982-02 @ Living room for Internet settings.
017637: Mar 3 18:58:38.480: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : OUT : No one is allowed to login to this system except Kanta Nakashima.
017638: Mar 3 18:58:38.480: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : OUT :
017639: Mar 3 18:58:38.480: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : OUT : C892-02>
017640: Mar 3 18:58:38.480: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : IN : C892-02>enable
017641: Mar 3 18:58:38.492: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : OUT : C892-02#
017642: Mar 3 18:58:38.492: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : IN : C892-02#config t
017643: Mar 3 18:58:38.508: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line. End with CNTL/Z.
017644: Mar 3 18:58:38.508: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : OUT : C892-02(config)#
017645: Mar 3 18:58:38.508: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : IN : C892-02(config)#interface vlan113
017646: Mar 3 18:58:38.520: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : OUT : C892-02(config-if)#
017647: Mar 3 18:58:38.520: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : IN : C892-02(config-if)#no shutdown
017648: Mar 3 18:58:38.532: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : OUT : C892-02(config-if)#
017649: Mar 3 18:58:38.532: %HA_EM-6-LOG: No_Shutdown_VLAN113 : DEBUG(cli_lib) : : CTL : cli_close called.
017650: Mar 3 18:58:38.536:
017651: Mar 3 18:58:38.536: tty is now going through its death sequence
017652: Mar 3 18:58:40.524: %LINK-3-UPDOWN: Interface Vlan113, changed state to up
C892-02(config-if)#
2. 定期的にコマンドを実行し、その結果を NVRAM に書き込む
例えば、毎日午前 7時に “show ip route” コマンドを実行し、その内容を NVRAM に書き込んでいきます。
crypto map M-ipsec 1 ipsec-isakmp
set peer 10.0.0.254
set transform-set IPSEC
match address A-ipsec
!
ip access-list extended A-ipsec
permit gre host 222.1.1.1 host 111.1.1.1
これで GRE over IPSec の設定が完了です。R2 のルーティングテーブルを見てみましょう。
R2#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, FastEthernet0
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O E2 10.0.1.135/32 [110/20] via 192.168.1.1, 00:14:09, Tunnel1
O IA 10.74.6.0/24 [110/1002] via 192.168.1.1, 00:14:09, Tunnel1
O IA 10.200.1.0/24 [110/1002] via 192.168.1.1, 00:14:09, Tunnel1
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
O E2 172.16.0.0/27 [110/20] via 192.168.1.1, 00:14:09, Tunnel1
O E2 172.16.0.32/27 [110/20] via 192.168.1.1, 00:14:09, Tunnel1
O 172.16.16.0/21 [110/1001] via 192.168.1.1, 00:14:09, Tunnel1
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Tunnel1
L 192.168.1.2/32 is directly connected, Tunnel1
222.1.1.0/32 is subnetted, 1 subnets
C 222.1.1.1 is directly connected, Loopback1
R1 の LAN 側になるセグメント情報(172.16.16.0 /21)が R2 のルーティングテーブル上で見えますね。これで GRE over IPSec の設定は完了です。