Jan
11

UPDATE: I have received numerous submissions and currently in the process of reviewing them. I'm going to extend the deadline until Wednesday (2012-01-18). At that time all people who submitted working solutions will be awarded 100 tokens!

Recently I have been working with a large enterprise customer that is looking to implement a new change control policy. The main goal of the policy is to be able to track who is making changes to devices in the network, and specifically what those changes are. As opposed to using a full blown network management suite to do this for them, I suggested a simple solution of using TACACS for exec and command accounting (all devices are Cisco), and EEM scripting along with a TFTP server for tracking the actual configuration changes in case they need to roll back to a well-known good working config. The final result worked out very well, and I thought it would make a good CCIE level challenge as well.

So here is the challenge - write an EEM script to manage change control in the network as follows. The first person to submit a working script will win 100 rack rental tokens valid for any rack rental or mock lab session.

Every time a user makes a change to the configuration, the router should automatically TFTP its running configuration to the TFTP server 10.0.0.1 using the following naming convention:

HOSTNAME.YYYY-MM-DD.HHhMMmSSs.ADMIN_NAME.working.cfg

This ensures that if a change is made to the network but not actually saved to NVRAM, and there is a device crash, you can recover the last working running config of the device. Also this naming format tells you when exactly the change was made and by who. Remember that the router always generates a %SYS-5-CONFIG log message when a change is made. So for example suppose the following change was made:

EDGE-ROUTER-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
EDGE-ROUTER-1(config)#int lo1234
EDGE-ROUTER-1(config-if)#shutdown
EDGE-ROUTER-1(config-if)#
*Jan 11 19:05:49.694: %LINK-5-CHANGED: Interface Loopback1234, changed state to administratively down
*Jan 11 19:05:50.694: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1234, changed state to down
EDGE-ROUTER-1(config-if)#end
EDGE-ROUTER-1#
*Jan 11 19:05:59.054: %SYS-5-CONFIG_I: Configured from console by bmcgahan on console

The router would then TFTP its running config to 10.0.0.1 using the filename EDGE-ROUTER-1.2011-01-11.19h05m59s.bmcgahan.working.cfg

Secondly, the script should also make backups of configs that are actually saved to NVRAM. Similar to the previous requirement, files should be backed up to TFTP using the naming convention HOSTNAME.YYYY-MM-DD.HHhMMmSSs.ADMIN_NAME.startup.cfg. However in this case you need to account for the fact that different admins use different syntax when saving configs. Some of them use "write memory" or shorter variations like "wr m" or just "wr", while others use the "copy run start" variations. However regardless which variation is used, the router spits out the same output afterwards as follows:

EDGE-ROUTER-1#wr
Building configuration...

[OK]
EDGE-ROUTER-1#copy run start
Destination filename [startup-config]?
Building configuration...

[OK]

Lastly make sure that the script doesn't mistake a "show run" output for the same as a "write memory", as the outputs are similar:

EDGE-ROUTER-1#sh run
Building configuration...

Current configuration : 3438 bytes
!
! Last configuration change at 19:05:59 UTC Wed Jan 11 2012 by bmcgahan
version 15.1

Submit your script as a comment and the first one with fully functional requirements wins 100 tokens!

Subscribe to INE Blog Updates