Schedule reload before configuring the router

John McManus published excellent Remote (in Band) Configuration Tips post on etherealmind.com last week, prompting a “Too bad there isn't a fix for forgetting ‘reload in’” tweet by @mfratto. My immediate reaction was “this should be easy to solve with EEM” ... and it is.

Before going into details, I must warn you – don’t play with EEM applets that catch CLI commands on production devices. Develop and test the applet in your lab (using the very same IOS release you’re running in your production network), then download it into your production environment. Furthermore, if you manage to mangle an applet that catches critical configuration commands (for example, configure terminal), the only way to recover is a reload (assuming, of course, that haven’t already executed write mem ... oops, copy running-config startup-config, in which case you’ll be able to practice your password recovery skills).

I hate router-reload-induced thumb twiddling, so I made sure I had a recovery path – an applet that removes my applet:

event manager applet Cleanup authorization bypass 
 event none
 action 1 cli command "enable"
 action 2 cli command "configure terminal"
 action 3 cli command "no event manager applet ConfigReload"

As long as I left the event manager command intact, I was safe – I could always execute the event manager run Cleanup command.

Here’s the full-blown version of the applet:

event manager applet ConfigReload 
 event cli pattern "^configure" sync yes
 action 1.0 puts "You are going to configure the router"
 action 1.1 puts nonewline "Schedule the reload [Y/N]"
 action 1.3 gets ans
 action 1.4 string tolower "$ans"
 action 1.5 string match "$_string_result" "y"
 action 2.0 if $_string_result eq 1
 action 2.1  cli command "enable"
 action 2.2  cli command "reload cancel"
 action 2.3  cli command "configure terminal"
 action 2.4  cli command "exit"
 action 2.5  cli command "reload in 15" pattern "yes"
 action 2.6  cli command "n" pattern "confirm"
 action 2.7  cli command "y"
 action 2.8  puts "Reload has been scheduled, don't forget to cancel it!"
 action 2.9 end
 action 99  set _exit_status "1"

The sequence of commands executed in the applet is a bit convoluted: the reload in 15 command asks you whether you want to save the modified configuration, but only if the running configuration hasn’t been saved. I was too lazy to implement robust prompt handling, so the applet simply executes configure terminal to mark the running configuration modified. After that, we know exactly what the reload prompts are.

The applet uses numerous features of EEM 3.0; if you have a device running an older IOS release, the bare bones version of the applet might work for you:

event manager applet ConfigReload 
 event cli pattern "^configure" sync yes
 action 2.1  cli command "enable"
 action 2.2  cli command "reload cancel"
 action 2.3  cli command "configure terminal"
 action 2.4  cli command "exit"
 action 2.5  cli command "reload in 15" pattern "yes"
 action 2.6  cli command "n" pattern "confirm"
 action 2.7  cli command "y"
 action 99  set _exit_status "1"

17 comments:

  1. People who keep forgetting to do a "reload in..." deserve to keep getting burned :)

    ReplyDelete
  2. Dang it, Ivan, it's copy system:running-config nvram:startup-config. Your fingers need the extra work! :)

    ReplyDelete
  3. Alexandra Stanovska04 January, 2011 16:00

    People who forget to do a "reload cancel" after change was successful, deserve getting burned too - by next available Ops ticket monkey while happily walking to lunch ;)

    Hm, seriously, it may come in handy creating some form of script that would display some basic upon logout - show debug, show reload, etc. To help keep routers clean.

    ReplyDelete
  4. Yeah, having to type the whole line gives you more time to think it over than the old-school "wr" ;)

    ReplyDelete
  5. Isn't Cisco IOS configuration replacement and rollback better without reload?

    http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-rollback.html


    It might be hard to read the documentation, in simple, tested way

    Conf t

    Archive

    Path flash:myconfig

    Exit

    Wr mem

    Archive replace nvram:startup-config force time 3 (3 minutes)

    conf t

    ##make all your changes



    ##if you lose your session or you don’t want to save your configuratins, then after 3minutes, the configuration will be rolled back to nvram:start-config



    #if you continue to have session access and want to save the change you made

    Exit

    Configure confirm

    ReplyDelete
  6. Of course it is. I even wrote an article detailing all the wrinkles a while ago, but obviously people still tend not to read IOS documentation...

    http://www.nil.com/ipcorner/RouterConfigMgmt/
    http://www.nil.com/ipcorner/ConfigReplacement/

    ReplyDelete
  7. JunOS! commit check, commit confirm.

    ReplyDelete
  8. Could someone explain to me what the effect is of the line: action 99 set _exit_status "1"?
    I think that it has something to do with signalling that a function has finished successfully or not but how does it fit in this script? Is it because of the scheduled reload or is it something else?
    Thanks :)

    ReplyDelete
  9. _exit_status set to one means "execute the command that was caught by the event cli". More in an upcoming post.

    ReplyDelete
  10. Ivan,

    Hi, all of my equipment, including most test boxes, use TACACS+ with Cisco ACS. Whenever I try to run any eem, IE send show tech in email, or this new awsome applet you posted, the system shows access denied. Do you know why this is happening?

    ReplyDelete
  11. Probably this one: http://blog.ioshints.info/2007/05/command-authorization-fails-with-eem.html

    ReplyDelete
  12. Thanks for sharing the "configure replace" feature. That does look like the safest way to make changes to a Cisco device.

    However, we have ran into an incompatibility when trying to use "configure replace" on a 6500 that was configured to do Smart-Call-Home to Cisco using HTTPS with a certificate.

    We called Cisco and it is a confirmed problem (no bug ID), but they don't think it is going to be corrected.

    ReplyDelete
  13. If would be nice if you could describe the problem in more details, as you might not be the only one experiencing it.

    ReplyDelete
  14. Hello,

    When needing to execute some commands I have to start with enable command.

    What happens if I already have setup an enable password?
    How do I pass the password into the script?

    laf.

    ReplyDelete
  15. You don't have to worry about the enable password, the "enable" command always works (but you do have to include it).

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.