Cisco IOS, by default, does not generate a focused alert message in case one specific route starts flapping in its routing table. If for multiple reasons in your network, itβs a necessity to watch a specific host or route inside the routing table in BGP, and if something goes wrong, it's mandatory to generate an alert message to the network helpdesk.
There are several ways to do this, but this is my specific implementation. This Cisco TLC script watches for a specific BGP route in the current routing table. If the route is not there, it generates an SNMP alert to the company management server and feeds the company syslog server with a level 7 event, to alert the network operational center. Also, if the route has less than a minute at the routing table, generate the alert message.
A TCL-based monitoring script for Cisco IOS routers that tracks specific BGP routes and generates real-time alerts when routes become unstable or disappear from the routing table.
WatchNet provides automated monitoring for critical BGP routes in your network infrastructure. It detects:
- Route Flapping: When a route appears/disappears repeatedly (age < 60 seconds)
- Missing Routes: When a monitored route is not present in the routing table
- Route Recovery: When a previously problematic route becomes stable again
The script integrates with your existing monitoring infrastructure through SNMP traps and syslog messages, ensuring your NOC team is immediately notified of routing issues.
- Real-time BGP route monitoring with configurable check intervals
- SNMP v2c trap generation for integration with network management systems
- Syslog message generation with severity levels
- State persistence to avoid duplicate alerts
- Route flapping detection based on route age
- Embedded Event Manager (EEM) integration for automated execution
- Debug mode for troubleshooting
- Configurable thresholds and parameters
- Cisco IOS 15.0 or later
- TCL support enabled on the router
- SNMP configuration (for trap generation)
- Syslog configuration (for logging)
- Flash storage space for script files
configure terminal
scripting tcl low-encryption
exit
configure terminal
snmp-server community public RO
snmp-server community private RW
snmp-server host 172.168.1.1 version 2c SnMpSeRvErPaSsWoRd
snmp-server enable traps bgp
exit
configure terminal
logging host 172.168.1.1
logging trap debugging
logging facility local7
exit
copy tftp://your-tftp-server/watchnet-bgp-monitor.tcl flash:
Or via USB:
copy usbflash0:watchnet-bgp-monitor.tcl flash:
dir flash: | include watchnet
more flash:watchnet-bgp-monitor.tcl
Run the script manually to test functionality:
enable
tclsh flash:watchnet-bgp-monitor.tcl
Configure Embedded Event Manager to run the script automatically every 60 seconds:
configure terminal
event manager applet BGP_ROUTE_MONITOR
event timer watchdog time 60
action 1.0 cli command "enable"
action 2.0 cli command "tclsh flash:watchnet-bgp-monitor.tcl"
exit
To verify EEM configuration:
show event manager policy registered
configure terminal
kron policy-list BGP_MONITOR_POLICY
cli tclsh flash:watchnet-bgp-monitor.tcl
kron occurrence BGP_MONITOR_SCHEDULE in 1 recurring
policy-list BGP_MONITOR_POLICY
exit
Edit the configuration section in the script to match your environment:
array set config {
watched_route "10.1.1.1/32" # Route to monitor
syslog_server "172.168.1.1" # Syslog server IP
next_hop "192.168.2.1" # Expected next-hop IP
snmp_community "SnMpSeRvErPaSsWoRd" # SNMP community string
snmp_timeout 15 # SNMP timeout in seconds
snmp_retry 2 # SNMP retry count
flap_threshold 60 # Seconds before route is considered stable
debug_mode 0 # Set to 1 for verbose output
}| Trap Type | OID | Description | Severity |
|---|---|---|---|
| NO_BGP_MAIN_ROUTE | 1.3.6.1.4.1.9.9.187.2.0.1 | Route missing from table | Critical |
| BGP_MAIN_ROUTE_FLAPPING | 1.3.6.1.4.1.9.9.187.2.0.1 | Route age < threshold | Warning |
| BGP_MAIN_ROUTE_RECOVERED | 1.3.6.1.4.1.9.9.187.2.0.1 | Route became stable | Info |
%WATCHNET-2-CRITICAL: Main route 10.1.1.1/32 via 192.168.2.1 NOT IN TABLE
%WATCHNET-3-WARNING: Main route 10.1.1.1/32 via 192.168.2.1 FLAPPING (age: 15s)
%WATCHNET-5-NOTICE: Main route 10.1.1.1/32 via 192.168.2.1 RECOVERED
Edit the script and set debug_mode to 1:
array set config {
...
debug_mode 1
...
}show event manager policy registered
show event manager history events
show logging | include WATCHNET
show ip route 10.1.1.1
show ip bgp 10.1.1.1/32
show ip bgp summary
- Script not executing: Verify TCL is enabled and script permissions
- No SNMP traps: Check SNMP configuration and community string
- No syslog messages: Verify syslog configuration and connectivity
- False positives: Adjust
flap_thresholdvalue
watchnet-bgp-monitor/
βββ README.md # This file
βββ watchnet-bgp-monitor.tcl # Basic monitoring script
βββ watchnet-bgp-monitor-enhanced.tcl # Enhanced version with more features
βββ examples/
βββ eem-config.txt # EEM configuration examples
βββ snmp-config.txt # SNMP configuration examples
Contributions are welcome! Please feel free to submit a Pull Request. For major changes, please open an issue first to discuss what you would like to change.
This project is licensed under the MIT License - see the LICENSE file for details.
- Cisco TCL Scripting Documentation
- Cisco EEM Configuration Guide
- Network Engineering Community
For issues, questions, or contributions, please create an issue in the GitHub repository.
Note: Always test scripts in a lab environment before deploying to production routers. Ensure you have proper change management procedures in place.