📘CCNP Encore (350-401-ENCORE-v1.1)
1. What is EEM?
Embedded Event Manager (EEM) is a feature built into Cisco IOS devices (routers and switches) that allows the device to automatically perform actions when a specific event occurs.
In simple terms:
EEM = “If something happens, then automatically do something.”
2. Why EEM is Important for the Exam
For the CCNP ENCOR exam, you must understand:
- What EEM is
- What an EEM applet is
- How an EEM applet is structured
- Common events, actions, and use cases
- How EEM is used for:
- Automation
- Troubleshooting
- Data collection
You do not need deep programming skills. The exam focuses on concepts and basic configuration understanding.
3. What is an EEM Applet?
An EEM applet is a simple script written using Cisco CLI commands.
It consists of:
- An event (what triggers the applet)
- One or more actions (what the device does)
An EEM applet is easier than full scripting and is the most common EEM method tested in ENCOR.
4. Basic Structure of an EEM Applet
An EEM applet always follows this structure:
event manager applet APPLET_NAME
event EVENT_TYPE
action ACTION_NUMBER COMMAND
Explanation:
| Part | Meaning |
|---|---|
event manager applet | Starts the EEM applet |
APPLET_NAME | Name of the applet |
event | Defines what triggers the applet |
action | Defines what happens when triggered |
5. EEM Events (Triggers)
An event is the condition that starts the applet.
Common Event Types (Important for Exam)
1. Syslog Event
Triggered when a specific syslog message appears.
event syslog pattern "INTERFACE_DOWN"
Used when:
- Interface goes down
- Authentication fails
- Routing changes
2. Timer Event
Triggered at a specific time or repeatedly.
event timer cron cron-entry "0 * * * *"
Used for:
- Periodic checks
- Regular data collection
- Scheduled tasks
3. Interface Event
Triggered when an interface changes state.
event interface name GigabitEthernet0/1 state down
Used for:
- Interface monitoring
- Automated recovery actions
4. CLI Event
Triggered when a specific command is entered.
event cli pattern "reload"
Used for:
- Monitoring critical commands
- Logging admin actions
5. SNMP Event
Triggered by an SNMP trap.
event snmp oid 1.3.6.1.6.3.1.1.5.3
Used for:
- SNMP-based monitoring
- Integration with management systems
6. EEM Actions
Actions define what the device does after the event occurs.
Action Numbering
- Actions use numbers like
1.0,2.0,3.0 - Lower numbers execute first
Common Action Types
1. CLI Commands
Execute IOS commands automatically.
action 1.0 cli command "enable"
action 2.0 cli command "show ip interface brief"
2. Syslog Messages
Send custom log messages.
action 1.0 syslog msg "Interface is down"
3. Configuration Changes
Apply configuration commands.
action 1.0 cli command "configure terminal"
action 2.0 cli command "interface GigabitEthernet0/1"
action 3.0 cli command "shutdown"
4. Variables and Conditions
Used for simple logic.
action 1.0 set counter 1
Advanced logic is NOT heavily tested in ENCOR.
7. Example: Basic EEM Applet (IT Environment Example)
Scenario:
When a specific syslog message appears, log a message and collect information.
event manager applet INTERFACE_MONITOR
event syslog pattern "LINEPROTO-5-UPDOWN"
action 1.0 syslog msg "Interface status changed"
action 2.0 cli command "show ip interface brief"
Explanation:
- Event: Detects interface status change
- Action: Logs a message and collects interface data
8. EEM for Automation
Automation means reducing manual work.
EEM can:
- Apply configurations automatically
- Run commands without human input
- React instantly to changes
Automation Examples:
- Automatically disable a port after repeated errors
- Reapply configuration after a failure
- Restart a process when it stops responding
9. EEM for Troubleshooting
EEM helps detect problems and collect data automatically.
Troubleshooting Use Cases:
- Capture routing table when adjacency fails
- Log interface status changes
- Collect CPU or memory statistics during high usage
This is important because:
Problems may occur when no administrator is logged in.
10. EEM for Data Collection
EEM can collect and store information for later analysis.
Data Collection Examples:
- Periodic
showcommand execution - Logging system state changes
- Capturing configuration snapshots
Example timer-based data collection:
event manager applet DATA_COLLECT
event timer watchdog time 300
action 1.0 cli command "show version"
This runs every 300 seconds.
11. Difference Between EEM Applet and EEM Script
| Feature | EEM Applet | EEM Script |
|---|---|---|
| Complexity | Simple | Advanced |
| Language | CLI-based | Tcl / Python |
| Exam Focus | ✅ Yes | ❌ No |
| Ease of Use | Easy | Complex |
For ENCOR, focus on EEM applets only.
12. Key Exam Points to Remember
You MUST remember:
- EEM is event-driven automation
- An EEM applet has:
- Event
- Action
- Common events:
- Syslog
- Timer
- Interface
- CLI
- Common actions:
- CLI commands
- Syslog messages
- EEM is used for:
- Automation
- Troubleshooting
- Data collection
- Applets are simpler than scripts
13. Common Exam Traps
❌ Thinking EEM requires programming knowledge
❌ Confusing EEM with Python automation
❌ Forgetting that EEM runs inside the device
❌ Assuming EEM replaces network management systems
✔ EEM is local, event-based automation
14. One-Line Summary (Perfect for Revision)
EEM applets allow Cisco devices to automatically execute CLI actions when specific events such as syslog messages, timers, or interface changes occur.
