EEM Applet

Our network monitoring program detected  ICMP latency from a few WS-C3560CG-8PC-S switches recently. The "show process cpu sort" shows normal output. However, the "show process cpu history" indicates CPU utilization was always 60% and spike over 90% from time to time. To capture which process is the culprit, Cisco recommended to use following EEM (Embedded Event Manager) applet:

event manager applet high-cpu

!

event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.3 get-type next entry-op gt entry-val 80 poll-interval 5 exit-time 500 maxrun 600

!

action 0.1 cli command "enable"

action 0.2 syslog msg "TAC - Capturing high cpu information to flash:"

action 0.3 cli command "term length 0"

action 1.1 cli command "show process cpu sorted | redirect flash:eem-cpu1.txt"

action 1.2 cli command "show interface | redirect flash:eem-interface1.txt"

action 1.3 cli command "show interface stats | redirect flash:eem-stat1.txt"

action 1.4 cli command "show ip traffic | redirect flash:eem-traffic1.txt"

action 2.1 cli command "show process cpu sorted | redirect flash:eem-cpu2.txt"

action 2.2 cli command "show interface | redirect flash:eem-interface2.txt"

action 2.3 cli command "show interface stats | redirect flash:eem-stat2.txt"

action 2.4 cli command "show ip traffic | redirect flash:eem-traffic2.txt"

What this applet will do is when CPU process is over 80%, it will write those show output to text files in flash. This applet did capture the "virtual exec" was running over 90% of CPU process. 

Just felt this is a cool utility to share. You can find more EEM samples here: http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_eem_events_and_examples.html

BTW, the root cause of the high CPU utilization is a bug in the IOS. Upgraded to c3560c405ex-universalk9-mz.122-55.EX3.bin seems bring down the utilization to 20%.

Checkpoint Firewall lab with VMware

I am new to Checkpoint Firewall and just want to share my experience on setting up a Checkpoint Firewall lab with VMware workstation. This lab will have two management stations and three firewalls. you can configure the two management station and the first two firewall as HA later.

1. First, download Check_Point_R75.20.Splat.iso from Checkpoint site.
2. Second, create one VM in WMware Workstation and call it MGMT1. This is a Red Hat Linux 5 VM. You just need one virtual NIC for now.
3. Boot the VM with the iso file you downloaded and install the Security Platform. The detailed instruction can be found here: http://www.sysadmintutorials.com/installing-check-point-r75-secureplatform-tutorials/ and you will need to stop at step 11 of the second
4. Turn off the VM and use VMware to clone this VM as MGMT2, FW1, FW2, and FW3.
5. You will need to add two more virtual NICs (in different VMNet) to FW1 and FW2, and one more virtual NIC to FW2.
6. Here is the tricky or annonying part: all your VMs first NIC will have same MAC address. To change that, turn on each VM, login as admin with default password (admin). Enter "expert" at the prompt, and enter "admin" as initial password again. Using VI to open "/etc/sysconfig/netconf.C" and "/etc/sysconfig/netconf.C.keep" and modify the MAC address of the first NIC.
7. After the change, reboot the VM, log in as admin, and enter "ifconfig" to verify each NIC has unique MAC address. (I have spent some time to change the MAC address using VMware KB 507: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=507, but that did not work. My colleague Larry helped me out on step 6 & 7 here.)
8. On MGMT1, enter "sysconfig" to install Security Management - continue the steps in the above tutorial. This will be the primary management station.
9. On MGMT2, follow the same step to install Security Management, except this will be the secondary management station.
10. One the rest of the VMs, use sysconfig to install Security Gateway - those will be the actual firewall.

Now you have a few raw machines to start learning Checkpoint FW. Have fun and good luck!