Friday, April 22, 2016

Amazon Dash Button Events On A Catalyst

Lots of folks are detecting Amazon Dash button events by watching for ARP traffic with python.

I took a slightly different approach by watching for the button's MAC address with an EEM applet.

My Mac 'n Cheese button speaks on the network twice with each push: once right when it's pushed, and then a second time about 40 seconds later.

The applet sleeps for 60 seconds after it's fired to ensure that the button only creates a single event with each press.

 event manager applet macNcheese  
  event mat mac-address 00bb.3a4b.5a01 type add maxrun 90  
  action 1 syslog msg "It's Mac N Cheese time!"  
  action 2 cli command "enable"  
  action 3 cli command "copy https://username:password@some_server/path/to/events.php^V?eventtype=MAC%20N%20CHEESE%20TIME! null:"  
  action 4 wait 60  
  action 5 cli command "clear mac address-table dynamic address 00bb.3a4b.5a01"  

event mat refers to "mac address table" changes. This applet fires only when the button's address is added to the table. Without the add keyword, the event would fire twice, once when the entry is added, and again when the entry is removed from the switch L2 filtering table.

I'm triggering an external event by hitting a web server that's already configured to receive events through HTTP GETs, and I'm using an IOS copy command. It's a bit clunky, but works fine. I could also send SNMP traps, or rely on syslog parsing (Spunk -> StackStorm, perhaps?) to make things happen.

Getting the ^V? characters into the URL string was a little tricky. Typing a ? usually invokes the IOS inline help, so it needs to be escaped by a <ctrl-v>. The event engine will have the same problem typing the ?, so it also needs to type a <ctrl-v>, which I needed to escape in order to type... In the end, I typed three <ctrl-v>s, followed by a ? in order to produce the string above.

This could probably also be done by watching for DHCP snooping events (using the DHCP snooping MIB), but I haven't figured out how to make a DHCP snooping-based applet fire only once for each button press. This is probably worth figuring out because more platforms will support SNMP-based events than mat events.

4 comments:

  1. Is EEM usually so finicky?

    I tried to implement your eem applet on a C3560G running c3560-ipbasek9-mz.150-2.SE9. It didn't trigger on the "event mat mac-address" code.

    I then "downgraded" to c3560-ipservicesk9-mz.122-55.SE10.bin. The "event mat mac-address" code triggers now, but the "copy http://1.1.1.1/cgi-bin/trigger.sh null:" code runs twice for some reason.

    ReplyDelete
  2. > runs twice for some reason

    Do you have the 'add' keyword? Without it the code will fire on adds and also on deletions.

    Alternatively, is your mac-address timeout less than the sleep interval in the EEM script? My dash button talks twice in about 45 seconds. If the timeout were less than that, the second time it talks would be a separate "mac learn" event.

    I had similar problems (firing twice) when my EEM script was watching the dhcp snooping database via SNMP. I couldn't figure out why.

    ReplyDelete
  3. Hi Chris, thanks for the reply. I really enjoy reading your blog.

    I discovered that I can reproduce the double http request by manually typing "copy http://1.1.1.1/cgi-bin/trigger.sh null:" from the "conf t" prompt. So I believe that rules out EEM as the cause.

    I'm currently looking into using a TCL script to do the http request instead, but there is a bit of a learning curve there so it might take a while for me to figure it out.

    -Michael

    ReplyDelete
  4. I'm able to reproduce your results. Running the 'copy' command against a very small file hits my web server twice. I tried it on a Cat2K and a Cat4K, both running 12.2. I've no idea why this happens. I hadn't noticed it before because the PHP script I'm hitting was already debounced for other reasons.

    ReplyDelete