cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1994
Views
0
Helpful
6
Replies

EEM Script to deny users a particular command to run

Neel Shah
Level 1
Level 1

Hi all,  need help in figuring out how when any user runs clear arp-cache, the command doesn't actually execute.  Its easy to do it with IOS but with XR I am having trouble coming up with a script.  Any ideas?  XR doesn't have privilege commands and customer does not want ot use AAA. 

Regards,

neel

6 Replies 6

Joe Clarke
Cisco Employee
Cisco Employee

What version of XR is this?  I know 4.3 has a CLI ED, but it isn't the same as IOS.  The policy will execute as a new process, so it may not actually skip the execution.  If it would work, something like this would do it:

::cisco::eem::event_register_cli pattern "^clear arp-cache"

namespace import ::cisco::eem::*

namespace import ::cisco::lib::*

puts "clear arp-cache is not allowed"

exit 0

Currently running only 4.2.3.  This is basically workaround for a bugfix:)  So nothing currently in 4.2.3 i am guessing?

Looks like 4.2 has the same ED support.  The same caveat applies, though.  It may be asynchronous only, and thus not prevent the command from running.

That doesn't seem to work for some reason.  The command still executes.  here's a snipped:

event manager directory user policy harddisk:

event manager policy arp_tcl.tcl username eem persist-time 3600

aaa authorization eventmanager default local

RP/0/RSP0/CPU0:rasr9k-1y#more harddisk:arp_tcl.tcl

Sat Apr 13 06:19:15.707 UTC

::cisco::eem::event_register_cli pattern "^clear arp-cache location 0/0/CPU0"

#------------------------------------------------------------------

# EEM policy to prevent a command

#

# April 2013

#

# Copyright (c) 2013 by cisco Systems, Inc.

# All rights reserved.

#------------------------------------------------------------------

#

#

namespace import ::cisco::eem::*

namespace import ::cisco::lib::*

#

puts "clear arp-cache is not allowed"

exit 0

my arp still clears

-------------------------------------------------------------------------------

0/0/CPU0

-------------------------------------------------------------------------------

Address         Age        Hardware Addr   State      Type  Interface

172.29.1.1      -          6c9c.ed2d.375a  Interface  ARPA  TenGigE0/0/0/2

172.29.1.2      00:00:02   000d.662d.3540  Dynamic    ARPA  TenGigE0/0/0/2

RP/0/RSP0/CPU0:rasr9k-1y#

Any other ideas? 

Do you see the puts string being output in the logging buffer?  If so, then this is what I feared.  The CLI ED works asynchronously in XR, and the command cannot be prevented from executing.  The alternative in that case would be to use AAA command authorization.

mario.jost
Level 3
Level 3

Just to give an answer after such a long time for any future readers that might come across this thread. You would have to use the synchroneus mode. Just add this:

::cisco::eem::event_register_cli pattern "^clear arp-cache location 0/0/CPU0" sync yes

You can optionally also add the maxrun timer as these events time out after 20s per default.

::cisco::eem::event_register_cli pattern "^clear arp-cache location 0/0/CPU0" sync yes maxrun 10

So if you know your command does not take longer than 3s you can decrease the timeour or if you have huge scripts that do firmware updates you may have to increase this to 600 meaning 10min...