The EEM scripting language ("Embedded Event Manager") is built-in in Cisco IOS and IOS-XE devices and you can make a lot of useful functions and program “if this, then that” behaviors both simple and advanced. I’ve gathered a few of the ones I’ve used in my daily work life below and without too much effort you too can make your own! But for that you have to look elsewhere, like Cisco’s documentation or someone else’s blog :)
If you are working with a lot of SSH sessions open on your computer sooner or later you might find yourself pasting in some really unfortunate commands into the wrong device, so the EEM scripts below could save you one day.
To bypass commands being denied by configured EEM scripts you can simply remove it (the script or “applet” that is) from the device, the purpose of these configurations is to act more as a lifeline if you fumble with your fingers.
Of cource TACACS+ authorization can solve these accidents (by denying users from entering certain commands) as well but the EEM scripts can still be useful.
Prevent “switchport trunk allowed vlan X” accidents
We’ve all been here, forgetting to add that “add” to the command when updating allowed VLANs on a trunk and all of a sudden we’ve lost all contact with the device, a branch office or even worse.
Using this EEM script, we completely disable the use the command “switchport trunk allowed vlan <vlan-id>” and instead we require users to be more specific in their configurations by forcing them to utilize the “add”, “remove” or “none” keywords make making changes to the VLAN that are allowed out on a trunk port.
config terminal
event manager applet BLOCK-TRUNK-VLAN-MISCONFIG
event cli pattern "switchport trunk allowed vlan [0-9*]" sync yes occurs 1
action 1 puts "!! This command is not allowed, you must use the 'ADD' or 'REMOVE' or 'NONE' keyword !!"
Running an incorrect VLAN trunk configuration command results in the command being denied and the configured warning text is displayed, see example below.
Disable “reload” command on a Cisco device
If you have a network device, switch or router, that should never be reloaded via remote access, like an important core switch or similar, you can simply disable the command all together.
config terminal
event manager applet DISABLE-RELOAD
event cli pattern "reload" sync yes occurs 1
action 1 puts "!! RELOAD is not allowed, to reload the switch please pull power cables !!"
Running the “reload” command results in the command being denied and the configured warning text is displayed, see example below.
Disable “erase startup-config” command on a Cisco device
Erasing the startup configuration should never have to happen on very important nodes in your network so just… disable it.
event manager applet DISABLE-ERASE-STARTUP
event cli pattern "erase startup-config" sync yes occurs 1
action 1 puts "!! ERASE STARTUP-CONFIG is not allowed !!"
Running the “erase startup-config” command results in the command being denied and the configured warning text is displayed, see example below.
Disable “write erase” command on a Cisco device
Very similar script to the one above.
event manager applet DISABLE-WRITE-ERASE
event cli pattern "write erase" sync yes occurs 1
action 1 puts "!! WRITE ERASE is not allowed !!"
Running the “write erase” command results in the command being denied and the configured warning text is displayed, see example below.