UPDATE: I have received numerous submissions and currently in the process of reviewing them. I’m going to extend the deadline until Wednesday (2012-01-18). At that time all people who submitted working solutions will be awarded 100 tokens!

Recently I have been working with a large enterprise customer that is looking to implement a new change control policy. The main goal of the policy is to be able to track who is making changes to devices in the network, and specifically what those changes are. As opposed to using a full blown network management suite to do this for them, I suggested a simple solution of using TACACS for exec and command accounting (all devices are Cisco), and EEM scripting along with a TFTP server for tracking the actual configuration changes in case they need to roll back to a well-known good working config. The final result worked out very well, and I thought it would make a good CCIE level challenge as well.

So here is the challenge – write an EEM script to manage change control in the network as follows. The first person to submit a working script will win 100 rack rental tokens valid for any rack rental or mock lab session.

Every time a user makes a change to the configuration, the router should automatically TFTP its running configuration to the TFTP server using the following naming convention:


This ensures that if a change is made to the network but not actually saved to NVRAM, and there is a device crash, you can recover the last working running config of the device. Also this naming format tells you when exactly the change was made and by who. Remember that the router always generates a %SYS-5-CONFIG log message when a change is made. So for example suppose the following change was made:

EDGE-ROUTER-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
EDGE-ROUTER-1(config)#int lo1234
*Jan 11 19:05:49.694: %LINK-5-CHANGED: Interface Loopback1234, changed state to administratively down
*Jan 11 19:05:50.694: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1234, changed state to down
*Jan 11 19:05:59.054: %SYS-5-CONFIG_I: Configured from console by bmcgahan on console

The router would then TFTP its running config to using the filename EDGE-ROUTER-1.2011-01-11.19h05m59s.bmcgahan.working.cfg

Secondly, the script should also make backups of configs that are actually saved to NVRAM. Similar to the previous requirement, files should be backed up to TFTP using the naming convention HOSTNAME.YYYY-MM-DD.HHhMMmSSs.ADMIN_NAME.startup.cfg. However in this case you need to account for the fact that different admins use different syntax when saving configs. Some of them use “write memory” or shorter variations like “wr m” or just “wr”, while others use the “copy run start” variations. However regardless which variation is used, the router spits out the same output afterwards as follows:

Building configuration...

EDGE-ROUTER-1#copy run start
Destination filename [startup-config]?
Building configuration...


Lastly make sure that the script doesn’t mistake a “show run” output for the same as a “write memory”, as the outputs are similar:

EDGE-ROUTER-1#sh run
Building configuration...

Current configuration : 3438 bytes
! Last configuration change at 19:05:59 UTC Wed Jan 11 2012 by bmcgahan
version 15.1

Submit your script as a comment and the first one with fully functional requirements wins 100 tokens!

About Brian McGahan, CCIE #8593, CCDE #2013::13:

Brian McGahan was one of the youngest engineers in the world to obtain the CCIE, having achieved his first CCIE in Routing & Switching at the age of 20 in 2002. Brian has been teaching and developing CCIE training courses for over 10 years, and has assisted thousands of engineers in obtaining their CCIE certification. When not teaching or developing new products Brian consults with large ISPs and enterprise customers in the midwest region of the United States.

Find all posts by Brian McGahan, CCIE #8593, CCDE #2013::13 | Visit Website

You can leave a response, or trackback from your own site.

9 Responses to “EEM Challenge – Change Control”

  1. Jim says:

    So is this really a challeng or are you just trying to get us to solve your problem and you can cashin with it at your enterprise customer ;)

  2. Justin Guagliata says:

    I have it done with the exception of the time and tech name. Still working.

  3. tahir says:

    can it be 2 scripts instead of 1? one for per command, the other one for NVRAM saved config?

  4. tahir says:


    here is the config but i did not do that dynamic string part, i dont expect tokens i just did that for my knowledge and know i can do it,

    log config
    logging enable
    notify syslog

    event manager applet EACH_COMMAND
    event syslog pattern “%PARSER-5-CFGLOG_LOGGEDCMD:”
    action 1.0 cli command “enable”
    action 2.0 cli command “copy run tftp://”

    event manager applet TEST2
    event cli pattern “wr.*|wr.* mem.*|copy run.* start.*” sync yes
    action 1.0 cli command “enable”
    action 2.0 cli command “copy startup-config tftp://”

  5. Vijaya Laxmi says:

    Can someone please throw light on how to get the dynamic string part please ?


Leave a Reply


CCIE Bloggers