Blog Home | INE Home | Members | Contact Us | Subscribe

Free Resources View Archives All Access Pass CCIE Bloggers

11 EEM Challenge – Change Control

Jan Search
Posted by Brian McGahan, CCIE #8593 in CCIE R&S,System Management 8 Comments Search

UPDATE: I have received numerous submissions and currently in the process of reviewing Submit

them. I’m going to extend the deadline until Wednesday (2012-01-18). At that time all people
who submitted working solutions will be awarded 100 tokens! Tw eet
Categories
Select Category
Recently I have been working with a large enterprise customer that is looking to implement a new change control
policy. The main goal of the policy is to be able to track who is making changes to devices in the network, and
specifically what those changes are. As opposed to using a full blown network management suite to do this for
them, I suggested a simple solution of using TACACS for exec and command accounting (all devices are Cisco),
and EEM scripting along with a TFTP server for tracking the actual configuration changes in case they need to roll
back to a well-known good working config. The final result worked out very well, and I thought it would make a
good CCIE level challenge as well.

So here is the challenge – write an EEM script to manage change control in the network as follows. The first
person to submit a working script will win 100 rack rental tokens valid for any rack rental or mock lab
session.

Every time a user makes a change to the configuration, the router should automatically TFTP its running
configuration to the TFTP server 10.0.0.1 using the following naming convention:

HOSTNAME.YYYY-MM-DD.HHhMMmSSs.ADMIN_NAME.working.cfg

This ensures that if a change is made to the network but not actually saved to NVRAM, and there is a device
crash, you can recover the last working running config of the device. Also this naming format tells you when
exactly the change was made and by who. Remember that the router always generates a %SYS-5-CONFIG log
message when a change is made. So for example suppose the following change was made:

EDGE-ROUTER-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
EDGE-ROUTER-1(config)#int lo1234
EDGE-ROUTER-1(config-if)#shutdown
EDGE-ROUTER-1(config-if)#
*Jan 11 19:05:49.694: %LINK-5-CHANGED: Interface Loopback1234, changed state to administratively down
*Jan 11 19:05:50.694: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1234, changed state to
down
EDGE-ROUTER-1(config-if)#end
EDGE-ROUTER-1#
*Jan 11 19:05:59.054: %SYS-5-CONFIG_I: Configured from console by bmcgahan on console

The router would then TFTP its running config to 10.0.0.1 using the filename EDGE-ROUTER-1.2011-01-
11.19h05m59s.bmcgahan.working.cfg

Secondly, the script should also make backups of configs that are actually saved to NVRAM. Similar to the
previous requirement, files should be backed up to TFTP using the naming convention HOSTNAME.YYYY-MM-
DD.HHhMMmSSs.ADMIN_NAME.startup.cfg. However in this case you need to account for the fact that different
admins use different syntax when saving configs. Some of them use “write memory” or shorter variations like “wr
m” or just “wr”, while others use the “copy run start” variations. However regardless which variation is used, the
router spits out the same output afterwards as follows:

CCIE Bloggers
EDGE-ROUTER-1#wr
Brian Dennis CCIE #2210
Building configuration...
Routing & Sw itching
ISP Dial
[OK] Security
EDGE-ROUTER-1#copy run start Service Provider
Voice
Destination filename [startup-config]?
Brian McGahan CCIE #8593
Building configuration...
Routing & Sw itching
Security
[OK] Service Provider
Petr Lapukhov CCIE #16379
Lastly make sure that the script doesn’t mistake a “show run” output for the same as a “write memory”, as the Routing & Sw itching
outputs are similar: Security
Service Provider
Voice

EDGE-ROUTER-1#sh run Mark Snow CCIE #14073

Building configuration... Voice

Security

Current configuration : 3438 bytes

! Popular Posts
! Last configuration change at 19:05:59 UTC Wed Jan 11 2012 by bmcgahan
CCDE Open Study Session San
version 15.1
Jose - July 30th to August 2nd

Submit your script as a comment and the first one with fully functional requirements wins 100 tokens! Cisco Live INE Customer

Appreciation Party - THANK

Tags: challenge, change control, eem, tftp
YOU!!

New CCIE SPv3 Workbook

Download this page as a PDF
Updates

About Brian McGahan, CCIE #8593:

Brian McGahan w as one of the youngest engineers in the w orld to obtain the CCIE, having achieved his first CCIE in
Routing & Sw itching at the age of 20 in 2002. Brian has been teaching and developing CCIE training courses for over 8
years, and has assisted thousands of engineers in obtaining their CCIE certification. When not teaching or developing
new products Brian consults w ith large ISPs and enterprise customers in the midw est region of the United States.
Find all posts by Brian McGahan, CCIE #8593 | Visit Website

You can leave a response, or trackback from your own site.

8 Responses to “EEM Challenge – Change Control”

January 11, 2012 at 1:17 pm

Jim

So is this really a challeng or are you just trying to get us to solve your problem and you can cashin with it at your enterprise
customer

Reply

January 11, 2012 at 1:36 pm

Brian McGahan, CCIE #8593

Good engineers know how to delegate

Reply

January 11, 2012 at 2:04 pm

Justin Guagliata

I have it done with the exception of the time and tech name. Still working.

Reply

January 11, 2012 at 3:27 pm

Brian McGahan, CCIE #8593

You can use the Cisco Beyond Product Extension Community as a reference as well. There’s lots of good example scripts
there:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6815/product_promotion0900aecd8055c188.html

Reply

January 11, 2012 at 4:16 pm

tahir

can it be 2 scripts instead of 1? one for per command, the other one for NVRAM saved config?

Reply

January 11, 2012 at 4:18 pm

Brian McGahan, CCIE #8593

It can be as many scripts as needed as long as it works.

Reply

January 11, 2012 at 5:03 pm

tahir

Brian,

here is the config but i did not do that dynamic string part, i dont expect tokens i just did that for my knowledge and know i can do it,

archive
log config
logging enable
notify syslog

event manager applet EACH_COMMAND

event syslog pattern “%PARSER-5-CFGLOG_LOGGEDCMD:”
action 1.0 cli command “enable”
action 2.0 cli command “copy run tftp://10.0.0.1/test.txt”

event manager applet TEST2

event cli pattern “wr.*|wr.* mem.*|copy run.* start.*” sync yes
action 1.0 cli command “enable”
action 2.0 cli command “copy startup-config tftp://10.0.0.1/test2.txt”

Reply

March 29, 2012 at 12:52 pm

Vijaya Laxmi

Can someone please throw light on how to get the dynamic string part please ?

Reply

Leave a Reply

Name (required)

Mail (will not be published) (required)

Submit Comment

Congratulations to our IEOC
Community Winners: Bassam Alkaff,
CarlosG2, Qqabdal, Markus Wirth!
twitter.com/inetraining
Halfw ay through the first day of the Get the best #CCIE training now ! Time
#CCIE Security bootcamp w ith Brian is running out, just under 8 hours
McGahan, CCIEx3 #8593! remaining to save over 40% on
@brianmcgahan RS,VO,SC,SP. http://t.co/nrQVolVu
http://t.co/uxS0ZDS2

© 2011 INE, Inc., All Rights Reserved

pdfcrowd.com