Cisco IOS EEM Applet

Cisco IOS EEM (Embedded Event Manager) Applet is an on-box, event-driven scripting system built directly into Cisco’s network operating systems. It allows network engineers to define policies that automatically detect and respond to events on routers and switches in real time – without requiring external management systems or programming expertise. EEM Applets represent one of the earliest and most widely deployed forms of network device automation.

History and Origins

EEM was introduced by Cisco Systems in 2004 with IOS Release 12.3(4)T and 12.0(26)S. It was created to address a fundamental challenge in network management: when a network device experiences a critical failure, the very connectivity needed to reach an external management station may be compromised. By embedding event detection and response logic directly on the device, EEM ensures that corrective actions can be taken even when the network path to centralized management tools is unavailable.

The initial release (EEM 1.0) supported only syslog and SNMP event detectors with basic actions such as generating syslog messages, reloading the device, or triggering a processor switchover. Over subsequent releases, the framework expanded dramatically – EEM 2.0 added new event detectors and Tcl scripting capabilities, EEM 3.0 introduced custom CLI interception and routing-aware detectors, and EEM 4.0 brought security features like digital signatures and TLS-encrypted email notifications.

Design Philosophy

EEM follows an event-driven, publish-subscribe architecture built around three core components:

• EEM Server: The central orchestration engine connecting event detectors to policies
• Event Detectors (Publishers): Software agents integrated into IOS subsystems that monitor specific conditions and publish events when thresholds are met
• Policies (Subscribers): User-defined logic that subscribes to events and specifies actions to execute

The Applet model specifically is designed for simplicity. Unlike EEM Tcl scripts, which require programming knowledge and are stored as files on the device’s flash storage, applets are defined entirely within the standard IOS CLI configuration. This means any network engineer who can configure a router can write an EEM applet – no external editor, compiler, or file transfer is needed.

Key Features

Event Detectors

EEM provides over 20 event detectors spanning multiple categories:

Actions

When an event triggers, applets can execute a variety of actions:

• Execute arbitrary CLI commands on the device
• Generate SNMP traps to notify management systems
• Send email notifications (with TLS support in EEM 4.0)
• Reload the device or switch to a standby processor
• Generate syslog messages with custom severity levels
• Read and write tracked object states
• Perform file operations on device storage

Syntax

Applets use a straightforward structure with numbered action labels that execute in ascending alphanumeric order:

event manager applet INTERFACE-DOWN
 event syslog pattern "Interface GigabitEthernet0/0.*changed state to down"
 action 0010 cli command "enable"
 action 0020 cli command "configure terminal"
 action 0030 cli command "interface GigabitEthernet0/0"
 action 0040 cli command "no shutdown"
 action 0050 syslog msg "EEM: Auto-recovered GigabitEthernet0/0"

Each applet has exactly one event trigger but can contain multiple ordered actions. Environment variables (user-defined, Cisco-defined, and built-in read-only) provide data passing between the event and the actions.

EEM Applet vs. EEM Tcl Script

EEM supports two primary policy types, each suited to different complexity levels:

Starting with IOS XE 16.5, a third option exists: EEM can trigger Python scripts running in Guest Shell, bridging legacy event detection with modern programmability.

Platform Support

EEM applets are supported across the major Cisco network operating system families:

• IOS (classic): The original platform, supported from IOS 12.3(4)T onward through IOS 15.x
• IOS XE: Full support on Catalyst 9000, ASR 1000, ISR 4000, and Catalyst 8000 platforms
• IOS XR: Available on service provider platforms including ASR 9000 and NCS series
• NX-OS: Supported on Nexus data center switches

Current Relevance

EEM remains actively supported and documented in current Cisco IOS XE 17.x releases. While modern network automation tools such as Cisco Catalyst Center, NETCONF/RESTCONF, Ansible, and Terraform have transformed how networks are managed, EEM fills a unique niche that centralized tools cannot fully replace: real-time, on-device event response that operates independently of external connectivity.

The integration of EEM with Python via Guest Shell in IOS XE demonstrates Cisco’s commitment to keeping the framework relevant. Network engineers commonly use EEM applets alongside modern automation – EEM handles immediate on-box reactions while external orchestration tools manage broader configuration and policy management.

Why It Matters

Cisco IOS EEM Applet holds an important place in the history of network automation. Introduced at a time when network management was almost entirely manual or dependent on external SNMP polling systems, EEM pioneered the concept of embedding programmable, event-driven automation directly into network devices. It democratized network automation by making it accessible to engineers who understood CLI configuration but lacked programming skills.

The patterns established by EEM – event detection, policy-based response, and on-box execution – influenced the broader evolution of network programmability and remain foundational concepts in modern intent-based networking.