EEM event cli command options and the _exit_status variable

Upendra wrote the following comment to my “EEM CLI patterns are not context sensitive” post:

I am totally confused with sync yes|no skip yes|no. What is the mean of sync and skip, when we use these keywords and what is the mean of yes and no.

The online documentation on this topic is pretty extensive, but obviously not explicit enough, so let’s try to reword it.

When you use the sync yes option in the event cli command, the EEM applet runs before the CLI command is executed. The EEM applet should set the _exit_status variable to indicate whether the CLI command should be executed (_exit_status set to one) or not (_exit_status set to zero). A sample applet using the _exit_status variable in described in my “Schedule reload before configuring the router” post.

With the sync no option, the EEM applet is executed in background in parallel with the CLI command. As the CLI command starts at the same time as the EEM applet, you cannot use the _exit_status variable anymore; you have to specify whether you want the CLI command to execute with the skip yes|no option of the event cli command. A sample applet using sync no skip yes options is described in my “Can you disable the reload command?” post.

7 comments:

  1. It's not new, but when I read something about 'event cli', I always imagine some boundary router with totally invisible script inside that is ruled by hidden ICMP payload matched with FPM... O:-)
    It's a perfect platform for any attack. Almost impossible to detect.
    I don't have any malicious activities in my mind actually. Just the first thought. :)

    ReplyDelete
  2. It's not new, but when I read something about 'event cli', I always imagine some boundary router with totally invisible script inside that is ruled by hidden ICMP payload matched with FPM... O:-)
    It's a perfect platform for any attack. Almost impossible to detect.
    I don't have any malicious activities in my mind actually. Just the first thought. :)

    ReplyDelete
  3. I'm still confused, what would be the difference between sync no skip yes and sync yes and seting _exit_status to 0 ?

    ReplyDelete
  4. None. You need "sync yes" and _exit_status when you want to conditionally enable/disable the command or when you need to write a message to the use (with "sync no" all applet output goes to syslog).

    ReplyDelete
  5. Ivan,
    Is there any scenario when we use "sync no skip no" ?

    ReplyDelete
  6. Ivan Pepelnjak17 July, 2011 10:12

    You want to log the commands without blocking them (almost like TACACS+ command accounting)

    http://blog.ioshints.info/2006/11/cli-command-logging-without-tacacs.html

    ReplyDelete
  7. Hi,
    I want to try to stop the changes for local-preference. I use the applet:
    event manager applet test
    event cli pattern "set local-preference" sync yes
    action 1.0 set _exit_status "0"

    As far as I understood the command should not be executed but actually the set statement is present in the route-map.
    Am I mistaken or this is not possible ?

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.