Re: EEM Challenge - Change Control

One clarification please. When you exit config mode
you receive %SYS-5-CONFIG_I regardless of if an actual change was made or
not. Is this an issue? Can this still be considered a "change".

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#exit
R1#
*Sep 27 22:43:31.306: %SYS-5-CONFIG_I: Configured from console by console

On Wed, Jan 11, 2012 at 1:30 PM, Brian McGahan <bmcgahan_at_ine.com> wrote:

> Recently I have been working with a large enterprise customer that is
> looking to implement a new change control policy. The main goal of the
> policy is to be able to track who is making changes to devices in the
> network, and specifically what those changes are. As opposed to using a
> full blown network management suite to do this for them, I suggested a
> simple solution of using TACACS for exec and command accounting (all
> devices are Cisco), and EEM scripting along with a TFTP server for tracking
> the actual configuration changes in case they need to roll back to a
> well-known good working config. The final result worked out very well, and
> I thought it would make a good CCIE level challenge as well.
>
> So here is the challenge - write an EEM script to manage change control in
> the network as follows. The first person to submit a working script to
> http://goo.gl/MAfv0 will win 100 rack rental tokens valid for any INE
> rack rentals or mock lab session.
>
> Every time a user makes a change to the configuration, the router should
> automatically TFTP its running configuration to the TFTP server 10.0.0.1
> using the following naming convention:
>
> HOSTNAME.YYYY-MM-DD.HHhMMmSSs.ADMIN_NAME.working.cfg
>
> This ensures that if a change is made to the network but not actually
> saved to NVRAM, and there is a device crash, you can recover the last
> working running config of the device. Also this naming format tells you
> when exactly the change was made and by who. Remember that the router
> always generates a %SYS-5-CONFIG log message when a change is made. So for
> example suppose the following change was made:
>
> EDGE-ROUTER-1#conf t
> Enter configuration commands, one per line. End with CNTL/Z.
> EDGE-ROUTER-1(config)#int lo1234
> EDGE-ROUTER-1(config-if)#shutdown
> EDGE-ROUTER-1(config-if)#
> *Jan 11 19:05:49.694: %LINK-5-CHANGED: Interface Loopback1234, changed
> state to administratively down
> *Jan 11 19:05:50.694: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> Loopback1234, changed state to down
> EDGE-ROUTER-1(config-if)#end
> EDGE-ROUTER-1#
> *Jan 11 19:05:59.054: %SYS-5-CONFIG_I: Configured from console by bmcgahan
> on console
>
> The router would then TFTP its running config to 10.0.0.1 using the
> filename EDGE-ROUTER-1.2011-01-11.19h05m59s.bmcgahan.working.cfg
>
> Secondly, the script should also make backups of configs that are actually
> saved to NVRAM. Similar to the previous requirement, files should be
> backed up to TFTP using the naming convention
> HOSTNAME.YYYY-MM-DD.HHhMMmSSs.ADMIN_NAME.startup.cfg. However in this case
> you need to account for the fact that different admins use different syntax
> when saving configs. Some of them use "write memory" or shorter variations
> like "wr m" or just "wr", while others use the "copy run start" variations.
> However regardless which variation is used, the router spits out the same
> output afterwards as follows:
>
> EDGE-ROUTER-1#wr
> Building configuration...
>
> [OK]
> EDGE-ROUTER-1#copy run start
> Destination filename [startup-config]?
> Building configuration...
>
> [OK]
>
> Lastly make sure that the script doesn't mistake a "show run" output for
> the same as a "write memory", as the outputs are similar:
>
> EDGE-ROUTER-1#sh run
> Building configuration...
>
>
> Current configuration : 3438 bytes
> !
> ! Last configuration change at 19:05:59 UTC Wed Jan 11 2012 by bmcgahan
> version 15.1
>
>
> Submit your script as a comment at http://goo.gl/MAfv0 and the first one
> with fully functional requirements wins 100 tokens!
>
>
>
> Brian McGahan, CCIE #8593 (R&S/SP/Security)
> bmcgahan_at_INE.com
>
> Internetwork Expert, Inc.
> http://www.INE.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jan 11 2012 - 13:40:59 ART