Friday, April 22, 2016

Amazon Dash Button Events On A Catalyst

Lots of folks are detecting Amazon Dash button events by watching for ARP traffic with python.

I took a slightly different approach by watching for the button's MAC address with an EEM applet.

My Mac 'n Cheese button speaks on the network twice with each push: once right when it's pushed, and then a second time about 40 seconds later.

The applet sleeps for 60 seconds after it's fired to ensure that the button only creates a single event with each press.

 event manager applet macNcheese  
  event mat mac-address 00bb.3a4b.5a01 type add maxrun 90  
  action 1 syslog msg "It's Mac N Cheese time!"  
  action 2 cli command "enable"  
  action 3 cli command "copy https://username:password@some_server/path/to/events.php^V?eventtype=MAC%20N%20CHEESE%20TIME! null:"  
  action 4 wait 60  
  action 5 cli command "clear mac address-table dynamic address 00bb.3a4b.5a01"  

event mat refers to "mac address table" changes. This applet fires only when the button's address is added to the table. Without the add keyword, the event would fire twice, once when the entry is added, and again when the entry is removed from the switch L2 filtering table.

I'm triggering an external event by hitting a web server that's already configured to receive events through HTTP GETs, and I'm using an IOS copy command. It's a bit clunky, but works fine. I could also send SNMP traps, or rely on syslog parsing (Spunk -> StackStorm, perhaps?) to make things happen.

Getting the ^V? characters into the URL string was a little tricky. Typing a ? usually invokes the IOS inline help, so it needs to be escaped by a <ctrl-v>. The event engine will have the same problem typing the ?, so it also needs to type a <ctrl-v>, which I needed to escape in order to type... In the end, I typed three <ctrl-v>s, followed by a ? in order to produce the string above.

This could probably also be done by watching for DHCP snooping events (using the DHCP snooping MIB), but I haven't figured out how to make a DHCP snooping-based applet fire only once for each button press. This is probably worth figuring out because more platforms will support SNMP-based events than mat events.