EEM用于需TACACS+授权设备时的注意事项
目录
硬件平台
软件版本
案例简介
故障诊断步骤
相关命令
相关错误信息
其他相关文档
硬件平台
路由器及多层交换机
软件版本
所有 支持EEM的IOS版本
案例简介
日常维护工作中,故障发生的第一时间收集下来的信息对于排错至关重要,但是我们往往无法做到这一点,因此很多客户会使用EEM来帮助故障发生时刻的信息收集。然而,基于信息安全的考虑, 很多设备上都配置有tacacs+ 授权(authoriztion),对于这样的设备,在配置EEM时,event manager session cli username <username>
故障诊断步骤
下面以(R1)Cat65为例来讲述EEM与tacacs+授权的配合使用时的注意事项:
R1的部分配置如下:
aaa new-model ! ! aaa authentication login RONCHENG group tacacs+ local aaa authentication enable default group RONCHENG enable none aaa authorization commands 0 RONCHENG group tacacs+ local aaa authorization commands 1 RONCHENG group tacacs+ local aaa authorization commands 15 RONCHENG group tacacs+ local aaa accounting exec RONCHENG start-stop group tacacs+ aaa accounting commands 0 RONCHENG start-stop group tacacs+ aaa accounting commands 1 RONCHENG start-stop group tacacs+ aaa accounting commands 15 RONCHENG start-stop group tacacs+ ! ! ! aaa session-id common line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 authorization commands 0 RONCHENG authorization commands 1 RONCHENG authorization commands 15 RONCHENG accounting commands 0 RONCHENG accounting commands 1 RONCHENG accounting commands 15 RONCHENG logging synchronous login authentication RONCHENG transport input all line vty 5 100 transport input all ! End
因为维护需求,需要在R1上添加EEM配置
track 52 ip route 1.1.1.1 255.255.255.255 reachability event manager applet test event track 52 state down action 1.0 cli command "enable" action 2.0 cli command "conf t" action 3.0 cli command "int loo 100" action 4.0 cli command "shut" action 5.0 cli command "end" !
EEM需要完成的任务是:一旦track 52中追踪的静态路由不可达了,就将loopback100 shutdown。
以下步骤全在R1上操作,用于测试EEM是否能有效执行
Step 1:
R1#debug event manager action cli Debug EEM action cli debugging is on R1#conf Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CNTL/Z. R1(config)#no ip route 1.1.1.1 255.255.255.255 7.7.7.7 《《《---将track52追踪的静态路由去掉,触发EEM作用。 R1(config)# *Nov 29 07:11:26.191: %TRACKING-5-STATE: 52 ip route 1.1.1.1/32 reachability Up->Down *Nov 29 07:11:26.191: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : CTL : cli_open called. *Nov 29 07:11:26.191: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1> *Nov 29 07:11:26.191: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN : R1>enable *Nov 29 07:11:26.403: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : Command authorization failed. *Nov 29 07:11:26.403: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : *Nov 29 07:11:26.403: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1> *Nov 29 07:11:26.403: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN : R1>conf t *Nov 29 07:11:26.415: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : ^ *Nov 29 07:11:26.415: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker. *Nov 29 07:11:26.415: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : *Nov 29 07:11:26.415: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1> *Nov 29 07:11:26.415: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN : R1>int loo 100 *Nov 29 07:11:26.427: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : ^ *Nov 29 07:11:26.427: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker. *Nov 29 07:11:26.427: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : *Nov 29 07:11:26.427: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1> R1(config)# *Nov 29 07:11:26.427: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN : R1>shut *Nov 29 07:11:26.639: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : Command authorization failed. *Nov 29 07:11:26.639: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : *Nov 29 07:11:26.639: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1> *Nov 29 07:11:26.639: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN : R1>end *Nov 29 07:11:26.855: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : Command authorization failed. *Nov 29 07:11:26.855: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : *Nov 29 07:11:26.855: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1> R1(config)# *Nov 29 07:11:26.855: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : CTL : cli_close called.
从以上的debug输出可以看出,EEM中需要执行的命令authorization failed了。
Step2:
R1(config)#event manager session cli username "roncheng" 《《--- roncheng为tacacs server上被授权的一个用户名。 R1(config)#ip route 1.1.1.1 255.255.255.255 7.7.7.7 R1(config)#no ip route 1.1.1.1 255.255.255.255 7.7.7.7 《《《--- 再次触发EEM R1(config)# *Nov 29 07:12:56.191: %TRACKING-5-STATE: 52 ip route 1.1.1.1/32 reachability Up->Down *Nov 29 07:12:56.191: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : CTL : cli_open called. *Nov 29 07:12:56.191: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1> *Nov 29 07:12:56.191: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN : R1>enable *Nov 29 07:12:56.403: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1# *Nov 29 07:12:56.403: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN : R1#conf t *Nov 29 07:12:56.615: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line. End with CNTL/Z. *Nov 29 07:12:56.615: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1(config)# *Nov 29 07:12:56.615: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN : R1(config)#int loo 100 *Nov 29 07:12:56.627: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1(config-if)# *Nov 29 07:12:56.627: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN : R1(config-if)#shut *Nov 29 07:12:56.639: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1(config-if)# *Nov 29 07:12:56.639: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN : R1(config-if)#end *Nov 29 07:12:56.639: %SYS-5-CONFIG_I: Configured from console by roncheng on vty0 (EEM:test) R1(config)# *Nov 29 07:12:56.651: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : R1# *Nov 29 07:12:56.651: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : CTL : cli_close called. R1(config)# *Nov 29 07:12:58.627: %LINK-5-CHANGED: Interface Loopback100, changed state to administratively down *Nov 29 07:12:59.627: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback100, changed state to down R1(config)#end
从以上debug输出可以看到EEM被触发后,已经通过了tacacs+的授权,成功执行。
相关命令
event manager session cli username <username>
相关错误信息
无
反馈