Can you disable the reload command?

Someone has recently asked an interesting question - can you disable the reload command? Although I would strongly discourage you from doing that (after all, every router I've ever worked on since a venerable MGS running IOS 10.0 had to be reloaded every now and then), here's what you can do:
  • define an alias for the reload command that does something else. For example, alias exec reload show ip interface brief. While this would remind a careless operator, it would still not prevent someone using an abbreviation like relo to reload the device.
  • Use TACACS+ command accounting and disable the reload command on the TACACS+ server. The benefit of this approach is that you can do it on user-by-user basis ... but of course you need TACACS+ server, RADIUS will not do.
  • Disable the reload command with the Embedded Event Manager applet.
The applet to disable the reload command would be similar to this one:
event manager applet NoReload
event cli pattern "reload" sync no skip yes
action 1.0 syslog priority errors msg "Cannot reload this router"
Note: this article is part of You've asked for it series.

1 comments:

  1. I would like to disable "show running-config" on a IOS router, using the pattern of "show running-config" works,but using "show running-config$" doesn't , any hints ? (the show run is expanded to show running-config on my router)
Add comment
Sidebar