Schedule reload before configuring the router

John McManus published excellent Remote (in Band) Configuration Tips post on etherealmind.com last week, prompting a “Too bad there isn't a fix for forgetting ‘reload in’” tweet by @mfratto. My immediate reaction was “this should be easy to solve with EEM” ... and it is.

Before going into details, I must warn you – don’t play with EEM applets that catch CLI commands on production devices. Develop and test the applet in your lab (using the very same IOS release you’re running in your production network), then download it into your production environment. Furthermore, if you manage to mangle an applet that catches critical configuration commands (for example, configure terminal), the only way to recover is a reload (assuming, of course, that haven’t already executed write mem ... oops, copy running-config startup-config, in which case you’ll be able to practice your password recovery skills).

I hate router-reload-induced thumb twiddling, so I made sure I had a recovery path – an applet that removes my applet:

event manager applet Cleanup authorization bypass 
 event none
 action 1 cli command "enable"
 action 2 cli command "configure terminal"
 action 3 cli command "no event manager applet ConfigReload"

As long as I left the event manager command intact, I was safe – I could always execute the event manager run Cleanup command.

Here’s the full-blown version of the applet:

event manager applet ConfigReload 
 event cli pattern "^configure" sync yes
 action 1.0 puts "You are going to configure the router"
 action 1.1 puts nonewline "Schedule the reload [Y/N]"
 action 1.3 gets ans
 action 1.4 string tolower "$ans"
 action 1.5 string match "$_string_result" "y"
 action 2.0 if $_string_result eq 1
 action 2.1  cli command "enable"
 action 2.2  cli command "reload cancel"
 action 2.3  cli command "configure terminal"
 action 2.4  cli command "exit"
 action 2.5  cli command "reload in 15" pattern "yes"
 action 2.6  cli command "n" pattern "confirm"
 action 2.7  cli command "y"
 action 2.8  puts "Reload has been scheduled, don't forget to cancel it!"
 action 2.9 end
 action 99  set _exit_status "1"

The sequence of commands executed in the applet is a bit convoluted: the reload in 15 command asks you whether you want to save the modified configuration, but only if the running configuration hasn’t been saved. I was too lazy to implement robust prompt handling, so the applet simply executes configure terminal to mark the running configuration modified. After that, we know exactly what the reload prompts are.

The applet uses numerous features of EEM 3.0; if you have a device running an older IOS release, the bare bones version of the applet might work for you:

event manager applet ConfigReload 
 event cli pattern "^configure" sync yes
 action 2.1  cli command "enable"
 action 2.2  cli command "reload cancel"
 action 2.3  cli command "configure terminal"
 action 2.4  cli command "exit"
 action 2.5  cli command "reload in 15" pattern "yes"
 action 2.6  cli command "n" pattern "confirm"
 action 2.7  cli command "y"
 action 99  set _exit_status "1"

Recent posts in the same categories

17 comments:

  1. PJG 04 January 2011 10:49
    People who keep forgetting to do a "reload in..." deserve to keep getting burned :)
  2. JS 04 January 2011 15:55
    Dang it, Ivan, it's copy system:running-config nvram:startup-config. Your fingers need the extra work! :)
  3. Alexandra Stanovska 04 January 2011 16:00
    People who forget to do a "reload cancel" after change was successful, deserve getting burned too - by next available Ops ticket monkey while happily walking to lunch ;)

    Hm, seriously, it may come in handy creating some form of script that would display some basic upon logout - show debug, show reload, etc. To help keep routers clean.
  4. Ivan Pepelnjak 04 January 2011 16:53
    Yeah, having to type the whole line gives you more time to think it over than the old-school "wr" ;)
  5. schilling2006 04 January 2011 23:20
    Isn't Cisco IOS configuration replacement and rollback better without reload?

    http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_config-rollback.html


    It might be hard to read the documentation, in simple, tested way

    Conf t

    Archive

    Path flash:myconfig

    Exit

    Wr mem

    Archive replace nvram:startup-config force time 3 (3 minutes)

    conf t

    ##make all your changes



    ##if you lose your session or you don’t want to save your configuratins, then after 3minutes, the configuration will be rolled back to nvram:start-config



    #if you continue to have session access and want to save the change you made

    Exit

    Configure confirm
  6. Ivan Pepelnjak 05 January 2011 08:14
    Of course it is. I even wrote an article detailing all the wrinkles a while ago, but obviously people still tend not to read IOS documentation...

    http://www.nil.com/ipcorner/RouterConfigMgmt/
    http://www.nil.com/ipcorner/ConfigReplacement/
  7. John 05 January 2011 19:59
    JunOS! commit check, commit confirm.
  8. Jorn 07 January 2011 14:49
    Could someone explain to me what the effect is of the line: action 99 set _exit_status "1"?
    I think that it has something to do with signalling that a function has finished successfully or not but how does it fit in this script? Is it because of the scheduled reload or is it something else?
    Thanks :)
  9. Ivan Pepelnjak 08 January 2011 10:41
    _exit_status set to one means "execute the command that was caught by the event cli". More in an upcoming post.
  10. Rob 14 January 2011 03:20
    Ivan,

    Hi, all of my equipment, including most test boxes, use TACACS+ with Cisco ACS. Whenever I try to run any eem, IE send show tech in email, or this new awsome applet you posted, the system shows access denied. Do you know why this is happening?
  11. Ivan Pepelnjak 15 January 2011 20:45
    Probably this one: http://blog.ioshints.info/2007/05/command-authorization-fails-with-eem.html
  12. Tristan Rhodes 01 February 2011 23:30
    Thanks for sharing the "configure replace" feature. That does look like the safest way to make changes to a Cisco device.

    However, we have ran into an incompatibility when trying to use "configure replace" on a 6500 that was configured to do Smart-Call-Home to Cisco using HTTPS with a certificate.

    We called Cisco and it is a confirmed problem (no bug ID), but they don't think it is going to be corrected.
  13. Ivan Pepelnjak 02 February 2011 09:42
    If would be nice if you could describe the problem in more details, as you might not be the only one experiencing it.
  14. laf 22 February 2011 15:02
    Hello,

    When needing to execute some commands I have to start with enable command.

    What happens if I already have setup an enable password?
    How do I pass the password into the script?

    laf.
  15. Ivan Pepelnjak 22 February 2011 15:16
    You don't have to worry about the enable password, the "enable" command always works (but you do have to include it).
  16. laf 22 February 2011 16:45
    Thank you sir!
Add comment
Home
Sidebar